Evaluating attack time expenses for network security alert causal correlation

Author

Zhang, Shaojun ; Li, Jianhua ; Chen, Xiuzhen ; Fan, Lei

Author_Institution

Sch. of Inf. Security Eng., Shanghai Jiaotong Univ., Shanghai, China

fYear

2008

fDate

19-21 Nov. 2008

Firstpage

1209

Lastpage

1212

Abstract

Network security alert causal correlation aims at correlating causal related security alerts into comprehensible attack scenarios. In this paper, we propose a novel correlation criterion by evaluating the time expenses of the attacks that trigger security alerts. By taking the attack time expenses as random variables and studying their probabilistic distribution, we can calculate the temporal correlation belief metric of any two candidate alerts. To testify the feasibility, a prototype system is designed, implemented and tested with the DARPA 2000 IDS evaluation dataset. Result shows that our method is effective and efficient, providing a strong complementary support for attack scenario construction.

Keywords

probability; security of data; telecommunication security; attack time expenses; intrusion detection system; network security alert causal correlation; probabilistic distribution; random variables; Computer networks; Computer security; Correlation; Data security; Information security; Intrusion detection; Materials science and technology; Prototypes; Random variables; System testing; alert correlation; attack time expense; network security; temporal correlation belief;

fLanguage

English

Publisher

ieee

Conference_Titel

Communication Systems, 2008. ICCS 2008. 11th IEEE Singapore International Conference on

Conference_Location

Guangzhou

Print_ISBN

978-1-4244-2423-8

Electronic_ISBN

978-1-4244-2424-5

Type

conf

DOI

10.1109/ICCS.2008.4737374

Filename

4737374