Integrating Multiple Information Resource to Analyze Intrusion Alerts

No Thumbnail Available

Date

2006-12-22

Journal Title

Series/Report No.

Journal ISSN

Volume Title

Publisher

Abstract

Intrusion detection systems (IDSs) are important components of network security. However, it is well known that current IDSs generate large amount of alerts, including both true and false alerts. Other than proposing new techniques to detect intrusions without such problems, this thesis presents some work we have done in improving the study of IDS alerts by incorporating other sources of relevant information. In particular, the work covers four issues. The first issue is to integrate and reason about IDS alerts as well as reports by system monitoring or vulnerability scanning tools (discussed in Chapter 3). To facilitate the modeling of intrusion evidence, this approach classifies intrusion evidence into either event-based evidence or state-based evidence. Event-based evidence refers to observations (or detections) of intrusive actions (e.g., IDS alerts), while state-based evidence refers to observations of the effects of intrusions on system states. Based on the interdependency between event-based and state-based evidence, we developed techniques to automatically integrate complementary evidence into Bayesian networks, and reason about uncertain or unknown intrusion evidence based on verified evidence. The second issue is the study of the robustness of the Bayesian analysis framework toward inaccuracies in the assignments of prior confidence with sensitivity analysis and qualitative analysis (discussed in Chapter 4). By performing sensitivity analysis and qualitative analysis on the Bayesian networks used to reason about intrusion evidence, we can measure or approximate individual evidence's influence on the reasoning results. Such study on the framework's robustness properties can provide guide line for evidence collection and analyses. The third issue is to improve alert correlation by integrating alert correlation techniques with OS-level object dependency tracking (discussed in Chapter 5). With the support of more detailed and precise information from OS-level event logs, higher accuracy in alert correlation can be achieved. The chapter also discusses the application of such integration in making hypotheses about possibly missed attacks. The fourth issue is to correlate intrusion alert and other security event information from multiple heterogeneous sources while protecting the privacy for each participating parties (discussed in Chapter 6). Based on a sanitization scheme utilizing both generalization and randomization, we proposed several techniques to flexibly balance between the privacy protection and the analysis capability of the sanitized data. We also studied the various analyses supported by the sharing framework and its security against some different types of attacks. Finally, the conclusion of my dissertation is provided and future work is pointed out.

Description

Keywords

alert correlation, intrusion detection, network security

Citation

Degree

PhD

Discipline

Computer Science

Collections