Facilitating Alert Correlation Using Resource Trees
| dc.contributor.advisor | Dr. Peng Ning, Committee Chair | en_US |
| dc.contributor.advisor | Dr. Douglas S. Reeves, Committee Member | en_US |
| dc.contributor.advisor | Dr. Ting Yu, Committee Member | en_US |
| dc.contributor.author | Mahalati, Jaideep | en_US |
| dc.date.accessioned | 2010-04-02T18:17:12Z | |
| dc.date.available | 2010-04-02T18:17:12Z | |
| dc.date.issued | 2005-08-08 | en_US |
| dc.degree.discipline | Computer Science | en_US |
| dc.degree.level | thesis | en_US |
| dc.degree.name | MS | en_US |
| dc.description.abstract | With the steady increase in the number of attacks against networks and hosts, security systems such as intrusion detection systems are widely deployed into networks. Intrusion detection systems may flag large numbers of alerts, where false alerts are mixed with true ones. To understand the security threats and take appropriate actions, it is necessary to perform alert correlation. One class of alert correlation methods is the prerequisite and consequence based approach, where the prerequisite of an attack is the necessary condition to launch the attack, and the consequence of an attack is the possible outcome if the attack succeeds. Through matching the consequence of earlier attacks with the prerequisites of later ones, attack scenarios can be discovered. However, one limitation of these approaches is that the specification of prerequisites and consequences for different alert types usually is time-consuming and error-prone. To address this limitation, this thesis proposes a resource tree based method to facilitate the specification of prerequisites and consequences. Attacks can be viewed from the perspective of resources. Example resources include various network services and privileges. This thesis further organizes resources into trees, where the nodes in the trees are labelled with conditions (represented by predicates). To specify the prerequisite and consequence of an attack, it is required to look for the desirable resource trees related to the attack's prerequisite and consequence, then traverse the trees to find the appropriate nodes, and finally select the suitable predicates to put into the prerequisite and consequence. This approach is simple and less expert-dependent. The usability study and comprehensiveness study (with more than 3000 alert types) demonstrate the effectiveness of this approach. Correlation results with different datasets further show that prerequisites and consequences defined using our methodology can be effectively used for alert correlation. | en_US |
| dc.identifier.other | etd-08072005-234228 | en_US |
| dc.identifier.uri | http://www.lib.ncsu.edu/resolver/1840.16/2759 | |
| dc.rights | I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. | en_US |
| dc.subject | Resource Tree | en_US |
| dc.subject | Alert Correlation | en_US |
| dc.subject | Intrusion Detection | en_US |
| dc.title | Facilitating Alert Correlation Using Resource Trees | en_US |
Files
Original bundle
1 - 1 of 1
