A framework for multi-stage attack detection

Author

Alserhani, Faeiz

Author_Institution

Commun. & Inf. Security Dept., King Fahd Security Coll., Saudi Arabia

fYear

2013

fDate

27-30 April 2013

Firstpage

1

Lastpage

6

Abstract

Network Intrusion Detection Systems (NIDS) are considered as essential mechanisms to ensure reliable security. In an intrusion detection context, none of the main detection approaches (signature-based and anomaly-based) are fully satisfactory. False positives (detected non-attacks) and false negatives (non-detected attacks) are the major limitations of such systems. The generated alerts are elementary and in huge numbers. Hence, alert correlation techniques are used to provide a complementary analysis to link elementary alerts and provide a more global intrusion view. We propose an alert correlation and aggregation framework based on requires/provides model. The objective is to discover the logical relationships between atomic alerts potentially incorporated in multi-stage attacks. The obtained results illustrate that the proposed system can effectively detect coordinated attack with minimum false positives.

Keywords

computer network security; aggregation framework; alert correlation technique; atomic alerts; coordinated attack detection; global intrusion view; link elementary alert; logical relationship; minimum false positive; multistage attack detection; network intrusion detection systems; provides model; requires model; Abstracts; Correlation; Engines; IP networks; Knowledge based systems; Mars; Security; Alerts correlation; Network intrusion detection systems; multi-stage attack;

fLanguage

English

Publisher

ieee

Conference_Titel

Electronics, Communications and Photonics Conference (SIECPC), 2013 Saudi International

Conference_Location

Fira

Print_ISBN

978-1-4673-6196-5

Electronic_ISBN

978-1-4673-6194-1

Type

conf

DOI

10.1109/SIECPC.2013.6550973

Filename

6550973