ALERT CORRELATION BASED ON A LOGICAL HANDLING OF ADMINISTRATOR PREFERENCES AND KNOWLEDGE

Salem Benferhat, Karima Sedki

2008

Abstract

Intrusion detection systems (IDSs) are important tools for infortation systems security. However, they generate a large number of alerts which complicate the task of network administrator to understand these triggered alerts and take appropriate actions. In this paper, we present a logic-based approach to alert correlation. This logic allows to integrate administrator’s preferences and knowledge. Our logic, called Extended Qualitative Choice Logic (E Q C L ), is an extension of a fragment of first order logic. It adds a new connector, denoted →X that allows to represent administrator preferences. The objective of our logic-based alert correlation approach is to rank-order alerts generated by IDS on the basis of administrator preferences and knowledge. Only alerts that fully fit administrator’s preferences and knowledge are first presented. Then if needed, less preferred alerts (which falsify less important preferences) will be presented, and so on.

References

  1. Anderson, J. (1980). Computer security threat monitoring and surveillance. Fort Washington, Pennsylvania.
  2. Benferhat, S. and Sedki, K. (2007). A revised qualitative choice logic for handling prioritized preferences. In ECSQARU, pages 635-647.
  3. Brewka, G., Benferhat, S., and Berre, D. L. (2004). Qualitative choice logic. Artificial Intelligence Journal(AIJ), 157(1-2):203-237.
  4. Cuppens, F. and Miège, A. (2002). Alert correlation in a cooperative intrusion detection framework. In SP, USA.
  5. Julisch, K. (2003). Clustering intrusion detection alarms to support root cause analysis.
  6. Kumar, S. and Spafford, E. (1995). A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Information Security Conference.
  7. Lunt, T. (1990). Detecting Intruders in Computer Systems. In In Proc of the Sixth Annual Symposium and Technical Displays on Physical and Electronic Security.
  8. Morin, B., Ludovic, M., Debar, H., and Ducassé, M. (2002). M2d2: A formal data model for ids alert correlation.
  9. Ning, P., Cui, Y., and Reeves, D. S. (2002). Constructing attack scenarios through correlation of intrusion alerts. In CCS'2002, pages 245-254.
  10. Paxson, V. (1999). Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23- 24):2435-2463.
  11. Porras, P. A. and Neumann, P. G. (1997). EMERALD: Event monitoring enabling responses to anomalous live disturbances. In NIST-NCSC, pages 353-365.
  12. Valdes, A. and Skinner, K. (2001). Probabilistic alert correlation. In RAID 200, number 2212.
Download


Paper Citation


in Harvard Style

Benferhat S. and Sedki K. (2008). ALERT CORRELATION BASED ON A LOGICAL HANDLING OF ADMINISTRATOR PREFERENCES AND KNOWLEDGE . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 50-56. DOI: 10.5220/0001924000500056


in Bibtex Style

@conference{secrypt08,
author={Salem Benferhat and Karima Sedki},
title={ALERT CORRELATION BASED ON A LOGICAL HANDLING OF ADMINISTRATOR PREFERENCES AND KNOWLEDGE},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},
year={2008},
pages={50-56},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001924000500056},
isbn={978-989-8111-59-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
TI - ALERT CORRELATION BASED ON A LOGICAL HANDLING OF ADMINISTRATOR PREFERENCES AND KNOWLEDGE
SN - 978-989-8111-59-3
AU - Benferhat S.
AU - Sedki K.
PY - 2008
SP - 50
EP - 56
DO - 10.5220/0001924000500056