Alert Correlation in a Cooperative Intrusion Detection Framework
1 / 28
Title:
Alert Correlation in a Cooperative Intrusion Detection Framework
Description:
Alert Correlation in a Cooperative Intrusion Detection Framework ... developed in MIRADOR project. MIRADOR aims to build a cooperative and adaptive IDS platform. ... –
Number of Views:132
Avg rating:3.0/5.0
Title: Alert Correlation in a Cooperative Intrusion Detection Framework
1
Alert Correlation in a Cooperative Intrusion
Detection Framework
- Frederic Cuppens Alexandre Miege
- France, 2002
2
Outline
- Introduction
- General principles
- Correlation approach
- Semi-explicit correlation in LAMBDA
- Abductive correlation
- Conclusion
3
Introduction (1/2)
- Two main intrusion detection approaches
- behavioral approach (anomaly detection)
- signature analysis (misuse detection)
- None of these approaches is fully satisfactory
- false positives
- false negatives
4
Introduction (2/2)
- Disadvantages of traditional IDS
- generated too many alerts, low-level
- CRIM
- a cooperative module for intrusion detection
- alert clustering, merging, correlation
- developed in MIRADOR project
- MIRADOR aims to build a cooperative and adaptive
IDS platform.
5
General principles
- CRIM Architecture
- Alert modeling
- Attack specification in LAMBDA
6
CRIM Architecture
alert modeling
alerts (Intrusion Detection Message Exchange
Format)
7
Alert modeling
8
Attack specification in LAMBDA
- In LAMBDA, an attack is specified using five
fields - Attack pre-condition
- Attack post-condition
- Attack scenario
- Detection scenario
- Verification scenario
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
Correlation approach
- Two main approaches
- Explicit correlation
- can express some connections between events
- Implicit correlation
- by data analysis to bring out some mappings and
relations between events - must be possible to express explicitly known
logical links between attacks - attack_correlation(Attack1, Attack2)
14
Correlation approach
- However, the objective is not to correlate
attacks but to correlate alerts - alert_correlation(Alert1, Alert2)
- This predicate is used to specify correlation
rules.
15
(No Transcript)
16
Semi-explicit correlation in LAMBDA
- Definition of alert correlation
- Generating correlation rules
- Applying correlation rules
17
Definition of alert correlation
- A and B are two attacks.
18
Definition of alert correlation
19
Definition of alert correlation
20
Definition of alert correlation
21
Definition of alert correlation
22
Generating correlation rules
- Notice that all the correlation rules are
automatically generated by analyzing the
descriptions in LAMBDA of the set of attacks.
23
Generating correlation rules
24
Applying correlation rules
- After all the correlation rules are generated,
the online correlation process can start. - receive a new alert Alert1
- Attack1 be the classification associated with
Alert1 - check if there are other alerts already stored in
the database (Attack2) - attack_correlation(Attack1, Attack2)
- check correlation rules
25
Abductive correlation
26
(No Transcript)
27
(No Transcript)
28
Conclusion
- Correlation function in CRIM
- attack (LAMBDA)
- offline correlation process
- automatically generate correlation rules
- online correlation process
- final attack objective
Recommended
CrystalGraphics Presentations
