Correlation of Heterogenous IDS Alerts for Attack Detection

Carey, Nathan

January 2004

With the increasing use of Intrusion Detection Systems (IDS) as a core component of network security, a vast array of competing products have appeared to fulfil the role of reliably detecting potential breaches of security in a network. The domain of detecting intrusions is large. This leads to products which are better at detecting some intrusions than others, and so to the use of multiple different types of IDS within a network. This typical usage, combined with the common practice of using IDS at multiple points in the network, requires sophisticated management of heterogenous alerts from multiple sources. This management should enable correlation of alerts with the goal of better detecting attacks, and reducing the monitoring workload on administrators. This thesis presents an architecture utilising commodity components and the Intrusion Detection Message Exchange Format (IDMEF) to enable this type of alert management. A signature scheme for the specification of patterns of alerts that indicate multi-step attacks is given, and a methodology for analysing alerts using the architecture that was developed. The final outcomes are a signature system and collection of tools integrated in a GUI management interface to aid in the detection of attacks, and the results of utilising these tools on a series of experiments in attack detection.

Intrusion Detection

Correlation

Alert Analysis

Attack Signatures