Intrusion Detection and Correlation - Challenges and Solutions

Intrusion Detection and Correlation: Challenges and Solutions......Page 1
Table Of Contents......Page 6
List of Figures......Page 10
List of Tables......Page 12
Preface......Page 14
1. INTRODUCTION......Page 16
1 Motivating Scenario......Page 18
2 Alert Correlation......Page 21
3 Organization......Page 22
1 Security Attacks and Security Properties......Page 24
2.1 Attack Prevention......Page 26
2.2 Attack Avoidance......Page 27
3 Intrusion Detection......Page 32
3.1Architecture......Page 34
3.2Taxonomy......Page 35
3.3Detection Method......Page 36
3.5Audit Source Location......Page 40
3.7 IDS Cooperation and Alert Correlation......Page 43
3. ALERT CORRELATION......Page 44
4. ALERT COLLECTION......Page 50
1 Alert Normalization......Page 51
2 Alert Preprocessing......Page 52
2.1 Determining the Alert Time......Page 53
2.3 Determining the Attack\'s Name......Page 57
1 Alert Fusion......Page 58
2 Alert Verification......Page 60
2.2 Active Approach......Page 63
3 Attack Thread Reconstruction......Page 67
4 Attack Session Reconstruction......Page 68
5 Attack Focus Recognition......Page 71
1 Multistep Correlation......Page 74
2 Impact Analysis......Page 78
3 Alert Prioritizing......Page 80
4 Alert Sanitization......Page 81
7. LARGE-SCALE CORRELATION......Page 86
1.1 Definitions......Page 92
1.2 Attack Specification Language......Page 93
1.3 Language Grammar......Page 94
2.1 Basic Data Structures......Page 95
2.2 Constraints......Page 97
2.3 Detection Process......Page 98
2.4 Implementation Issues......Page 105
1 Evaluation of Traditional ID Sensors......Page 108
1.1 Evaluation Efforts......Page 109
2 Evaluation of Alert Correlators......Page 110
2.1 Evaluation Efforts......Page 111
2.2 Problems......Page 113
2.3 Correlation Evaluation Truth Files......Page 114
2.4 Factors Affecting the Alert Reduction Rate......Page 115
1 Intrusion Detection......Page 118
2 Alert Correlation......Page 121
10. CONCLUSIONS......Page 124
References......Page 126
Index......Page 132