1 |
Mutilple Sensor Anomaly CorrelationTsai, Min-ying 10 January 2012 (has links)
IDS (Intrusion Detection System) detect intrusions and generate alerts to administrator. With Internet more and more popular, IDS products a lot of alerts make administrators spend much time to analyze to understand the network situation. Many online services record services details on the log, as the same administrators spend much time to analyze logs. IDS suffer from several limitations : amount of alerts, most of the alerts are false positive, certain attacks may not be detected by IDS. To solve limitations of IDS, four alert correlation techniques : alert attributions similarity, predefined attack scenarios, multi-stage approaches, verification to filter positive alerts. Network attack consist of multiple steps, each step may leave evidences on log or detected by IDS. Service logs record normal and abnormal detail behaviors, IDS alerts record single attack step. Alerts and logs first merge into meta-alert and meta-log. Second, we use two features to filter meta-log. Then, correlate meta-alert and filtered meta-log to produce report to administrators.
|
2 |
A Probabilistic-Based Framework for INFOSEC Alert CorrelationQin, Xinzhou 15 July 2005 (has links)
Deploying a large number of information security (INFOSEC) systems can provide in-depth protection for systems and networks. However, the sheer number of security alerts output by security sensors can overwhelm security analysts from performing effective analysis and taking timely response. Therefore, alert correlation is the core component in a security management system.
Most of existing alert correlation techniques depend on a priori and hard-coded domain knowledge that lead to their limited capabilities of detecting new attack strategies. These approaches also focus more on the aggregation and analysis of raw security alerts, and build basic or low-level attack scenarios.
This thesis focuses on discovering novel attack strategies with analysis of security alerts. Our framework helps security administrator aggregate redundant alerts, intelligently correlate security alerts, analyze attack strategies, and take appropriate actions against forthcoming attacks.
In alert correlation, we have developed an integrated correlation system with three complementary correlation mechanisms. We have developed a probabilistic-based correlation engine that incorporates domain knowledge to correlate alerts that have direct causal relationship. We have developed a statistical analysis-based and a temporal analysis-based correlation engines to discover attack transition patterns in which attack steps do not have direct causal relationship in terms of security and performance measure but exhibit statistical and temporal patterns. We construct attack scenarios and conduct attack path analysis based on the correlation results. Security analysts are presented with aggregated information on attack strategies from the integrated correlation system.
In attack plan recognition, we address the challenges of identifying attacker's high-level strategies and intentions as well as predicting upcoming attacks. We apply graph-based techniques to correlating isolated attack scenarios derived from low-level alert correlation based on their relationship in attack plans. We conduct probabilistic inference to evaluate the likelihood of attack goal(s) and predict potential upcoming attacks based on observed attack activities.
We evaluate our algorithms using DARPA's Grand Challenge Problem (GCP) data sets and live traffic data collected from our backbone network. The results show that our approach can effectively discover novel attack strategies, provide a quantitative analysis of attack scenarios and identify attack plans.
|
3 |
An orchestration approach for unwanted internet traffic identificationFEITOSA, Eduardo Luzeiro 31 January 2010 (has links)
Made available in DSpace on 2014-06-12T15:57:37Z (GMT). No. of bitstreams: 2
arquivo3214_1.pdf: 3789743 bytes, checksum: 5121a8308f93d20405e932f1e9bab193 (MD5)
license.txt: 1748 bytes, checksum: 8a4605be74aa9ea9d79846c1fba20a33 (MD5)
Previous issue date: 2010 / Universidade Federal do Amazonas / Um breve exame do atual tráfego Internet mostra uma mistura de serviços conhecidos e
desconhecidos, novas e antigas aplicações, tráfego legítimo e ilegítimo, dados
solicitados e não solicitados, tráfego altamente relevante ou simplesmente indesejado.
Entre esses, o tráfego Internet não desejado tem se tornado cada vez mais prejudicial
para o desempenho e a disponibilidade de serviços, tornando escasso os recursos das
redes. Tipicamente, este tipo de tráfego é representado por spam, phishing, ataques de
negação de serviço (DoS e DDoS), vírus e worms, má configuração de recursos e
serviços, entre outras fontes.
Apesar dos diferentes esforços, isolados e/ou coordenados, o tráfego Internet não
desejado continua a crescer. Primeiramente, porque representa uma vasta gama de
aplicações de usuários, dados e informações com diferentes objetivos. Segundo, devido
a ineficácia das atuais soluções em identificar e reduzir este tipo de tráfego. Por último,
uma definição clara do que é não desejado tráfego precisa ser feita.
A fim de solucionar estes problemas e motivado pelo nível atingido pelo tráfego
não desejado, esta tese apresenta:
1. Um estudo sobre o universo do tráfego Internet não desejado, apresentado
definições, discussões sobre contexto e classificação e uma série de
existentes e potencias soluções.
2. Uma metodologia para identificar tráfego não desejado baseada em
orquestração. OADS (Orchestration Anomaly Detection System) é uma
plataforma única para a identificação de tráfego não desejado que permite
um gerenciamento cooperativa e integrado de métodos, ferramentas e
soluções voltadas a identificação de tráfego não desejado.
3. O projeto e implementação de soluções modulares integráveis a
metodologia proposta. A primeira delas é um sistema de suporte a
recuperação de informações na Web (WIRSS), chamado OADS Miner ou
simplesmente ARAPONGA, cuja função é reunir informações de segurança
sobre vulnerabilidades, ataques, intrusões e anomalias de tráfego
disponíveis na Web, indexá-las eficientemente e fornecer uma máquina de
busca focada neste tipo de informação. A segunda, chamada Alert Pre-
Processor, é um esquema que utilize uma técnica de cluster para receber
múltiplas fontes de alertas, agregá-los e extrair aqueles mais relevantes,
permitindo correlações e possivelmente a percepção das estratégias usadas
em ataques. A terceira e última é um mecanismo de correlação e fusão de
alertas, FER Analyzer, que utilize a técnica de descoberta de episódios
frequentes (FED) para encontrar sequências de alertas usadas para
confirmar ataques e possivelmente predizer futuros eventos.
De modo a avaliar a proposta e suas implementações, uma série de experimentos
foram conduzidos com o objetivo de comprovar a eficácia e precisão das soluções
|
4 |
Data Fusion Process Refinement in intrusion Detection Alert Correlation SystemsSheets, David January 2008 (has links)
No description available.
|
5 |
Hidden Markov models and alert correlations for the prediction of advanced persistent threatsGhafir, Ibrahim, Kyriakopoulos, K.G., Lambotharan, S., Aparicio-Navarro, F.J., Assadhan, B., Binsalleeh, H., Diab, D.M. 24 January 2020 (has links)
Yes / Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively. / The Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1.
|
6 |
Detection of advanced persistent threat using machine-learning correlation analysisGhafir, Ibrahim, Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K., Aparicio-Navarro, F.J. 24 January 2020 (has links)
Yes / As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%.
|
7 |
BotDet: a system for real time Botnet command and control traffic detectionGhafir, Ibrahim, Prenosil, V., Hammoudeh, M., Baker, T., Jabbar, S., Khalid, S., Jaf, S. 24 January 2020 (has links)
Yes / Over the past decade, the digitization of services transformed the healthcare sector leading to
a sharp rise in cybersecurity threats. Poor cybersecurity in the healthcare sector, coupled with high value
of patient records attracted the attention of hackers. Sophisticated advanced persistent threats and malware
have significantly contributed to increasing risks to the health sector. Many recent attacks are attributed to
the spread of malicious software, e.g., ransomware or bot malware. Machines infected with bot malware can
be used as tools for remote attack or even cryptomining. This paper presents a novel approach, called BotDet,
for botnet Command and Control (C&C) traffic detection to defend against malware attacks in critical
ultrastructure systems. There are two stages in the development of the proposed system: 1) we have developed
four detection modules to detect different possible techniques used in botnet C&C communications and
2) we have designed a correlation framework to reduce the rate of false alarms raised by individual detection
modules. Evaluation results show that BotDet balances the true positive rate and the false positive rate
with 82.3% and 13.6%, respectively. Furthermore, it proves BotDet capability of real time detection.
|
8 |
CORRELAÇÃO DE ALERTAS EM UM INTERNET EARLY WARNING SYSTEM / ALERT CORRELATION IN AN INTERNET EARLY WARNING SYSTEMCeolin Junior, Tarcisio 28 February 2014 (has links)
Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Intrusion Detection Systems (IDS) are designed to monitor the computer network infrastructure
against possible attacks by generating security alerts. With the increase of components
connected to computer networks, traditional IDS are not capable of effectively detecting
malicious attacks. This occurs either by the distributed amount of data that traverses the network
or the complexity of the attacks launched against the network. Therefore, the design of
Internet Early Warning Systems (IEWS) enables the early detection of threats in the network,
possibly avoiding eventual damages to the network resources. The IEWS works as a sink that
collects alerts from different sources (for example, from different IDS), centralizing and correlating
information in order to provide a holistic view of the network. This way, the current
dissertation describes an IEWS architecture for correlating alerts from (geographically) spread
out IDS using the Case-Based Reasoning (CBR) technique together with IP Georeferencing.
The results obtained during experiments, which were executed over the implementation of the
developed technique, showed the viability of the technique in reducing false-positives. This
demonstrates the applicability of the proposal as the basis for developing advanced techniques
inside the extended IEWS architecture. / Sistemas de Detecção de Instrução (Intrusion Detection Systems IDS) são projetados
para monitorar possíveis ataques à infraestruturas da rede através da geração de alertas. Com a
crescente quantidade de componentes conectados na rede, os IDS tradicionais não estão sendo
suficientes para a efetiva detecção de ataques maliciosos, tanto pelo volume de dados como
pela crescente complexidade de novos ataques. Nesse sentido, a construção de uma arquitetura
Internet Early Warning Systems (IEWS) possibilita detectar precocemente as ameaças, antes de
causar algum perigo para os recursos da rede. O IEWS funciona como um coletor de diferentes
geradores de alertas, possivelmente IDS, centralizando e correlacionado informações afim
de gerar uma visão holística da rede. Sendo assim, o trabalho tem como objetivo descrever
uma arquitetura IEWS para a correlação de alertas gerados por IDS dispersos geograficamente
utilizando a técnica Case-Based Reasoning (CBR) em conjunto com Georreferenciamento de
endereços IP. Os resultados obtidos nos experimentos, realizados sobre a implementação da técnica
desenvolvida, mostraram a viabilidade da técnica na redução de alertas classificados como
falsos-positivos. Isso demonstra a aplicabilidade da proposta como base para o desenvolvimento
de técnicas mais apuradas de detecção dentro da arquitetura de IEWS estendida.
|
9 |
Alert correlation towards an efficient response decision support / Corrélation d’alertes : un outil plus efficace d’aide à la décision pour répondre aux intrusionsBen Mustapha, Yosra 30 April 2015 (has links)
Les SIEMs (systèmes pour la Sécurité de l’Information et la Gestion des Événements) sont les cœurs des centres opérationnels de la sécurité. Ils corrèlent un nombre important d’événements en provenance de différents capteurs (anti-virus, pare-feux, systèmes de détection d’intrusion, etc), et offrent des vues synthétiques pour la gestion des menaces ainsi que des rapports de sécurité. La gestion et l’analyse de ce grand nombre d’alertes est une tâche difficile pour l’administrateur de sécurité. La corrélation d’alertes a été conçue afin de remédier à ce problème. Des solutions de corrélation ont été développées pour obtenir une vue plus concise des alertes générées et une meilleure description de l’attaque détectée. Elles permettent de réduire considérablement le volume des alertes remontées afin de soutenir l’administrateur dans le traitement de ce grand nombre d’alertes. Malheureusement, ces techniques ne prennent pas en compte les connaissances sur le comportement de l’attaquant, les fonctionnalités de l’application et le périmètre de défense du réseau supervisé (pare-feu, serveurs mandataires, Systèmes de détection d’intrusions, etc). Dans cette thèse, nous proposons deux nouvelles approches de corrélation d’alertes. La première approche que nous appelons corrélation d’alertes basée sur les pots de miel utilise des connaissances sur les attaquants recueillies par le biais des pots de miel. La deuxième approche de corrélation est basée sur une modélisation des points d’application de politique de sécurité / Security Information and Event Management (SIEM) systems provide the security analysts with a huge amount of alerts. Managing and analyzing such tremendous number of alerts is a challenging task for the security administrator. Alert correlation has been designed in order to alleviate this problem. Current alert correlation techniques provide the security administrator with a better description of the detected attack and a more concise view of the generated alerts. That way, it usually reduces the volume of alerts in order to support the administrator in tackling the amount of generated alerts. Unfortunately, none of these techniques consider neither the knowledge about the attacker’s behavior nor the enforcement functionalities and the defense perimeter of the protected network (Firewalls, Proxies, Intrusion Detection Systems, etc). It is still challenging to first improve the knowledge about the attacker and second to identify the policy enforcement mechanisms that are capable to process generated alerts. Several authors have proposed different alert correlation methods and techniques. Although these approaches support the administrator in processing the huge number of generated alerts, they remain limited since these solutions do not provide us with more information about the attackers’ behavior and the defender’s capability in reacting to detected attacks. In this dissertation, we propose two novel alert correlation approaches. The first approach, which we call honeypot-based alert correlation, is based on the use of knowledge about attackers collected through honeypots. The second approach, which we call enforcement-based alert correlation, is based on a policy enforcement and defender capabilities’ model
|
Page generated in 0.117 seconds