Real-time multistage attack awareness through enhanced intrusion alert clustering

Author

Mathew, Sunu ; Britt, Daniel ; Giomundo, Richard ; Upadhyaya, Shambhu ; Sudit, Moises ; Stotz, Adam

Author_Institution

Dept. of Comput. Sci. & Eng., State Univ. of New York

fYear

2005

fDate

17-20 Oct. 2005

Firstpage

1801

Abstract

Correlation and fusion of intrusion alerts to provide effective situation awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example and demonstrate that this effectively improves real-time situation awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios

Keywords

computer networks; security of data; telecommunication security; Snort; attack-stage oriented classification; attacker activity; cyber-attacks; intrusion alert clustering; intrusion detection sensor; multistage attacks; network misuse; primary indicators; real-time attack detection; real-time attack scenario; real-time multistage attack awareness; Computer science; Computer security; Fusion power generation; Industrial engineering; Intrusion detection; Military computing; Real time systems; Subcontracting; Taxonomy; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Military Communications Conference, 2005. MILCOM 2005. IEEE

Conference_Location

Atlantic City, NJ

Print_ISBN

0-7803-9393-7

Type

conf

DOI

10.1109/MILCOM.2005.1605934

Filename

1605934