Probabilistic Alert Correlation View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2001-09-27

AUTHORS

Alfonso Valdes , Keith Skinner

ABSTRACT

With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps. More... »

PAGES

54-68

References to SciGraph publications

  • 2000. Adaptive, Model-Based Monitoring for Cyber Attack Detection in RECENT ADVANCES IN INTRUSION DETECTION
  • Book

    TITLE

    Recent Advances in Intrusion Detection

    ISBN

    978-3-540-42702-5
    978-3-540-45474-8

    Author Affiliations

    Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4

    DOI

    http://dx.doi.org/10.1007/3-540-45474-8_4

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1045138349


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Artificial Intelligence and Image Processing", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "alternateName": "SRI International", 
              "id": "https://www.grid.ac/institutes/grid.98913.3a", 
              "name": [
                "SRI International, USA"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Valdes", 
            "givenName": "Alfonso", 
            "id": "sg:person.011174465163.92", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011174465163.92"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "SRI International", 
              "id": "https://www.grid.ac/institutes/grid.98913.3a", 
              "name": [
                "SRI International, USA"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Skinner", 
            "givenName": "Keith", 
            "id": "sg:person.016617505623.98", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016617505623.98"
            ], 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "sg:pub.10.1007/3-540-39945-3_6", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1053272897", 
              "https://doi.org/10.1007/3-540-39945-3_6"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2001-09-27", 
        "datePublishedReg": "2001-09-27", 
        "description": "With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps.", 
        "editor": [
          {
            "familyName": "Lee", 
            "givenName": "Wenke", 
            "type": "Person"
          }, 
          {
            "familyName": "M\u00e9", 
            "givenName": "Ludovic", 
            "type": "Person"
          }, 
          {
            "familyName": "Wespi", 
            "givenName": "Andreas", 
            "type": "Person"
          }
        ], 
        "genre": "chapter", 
        "id": "sg:pub.10.1007/3-540-45474-8_4", 
        "inLanguage": [
          "en"
        ], 
        "isAccessibleForFree": true, 
        "isPartOf": {
          "isbn": [
            "978-3-540-42702-5", 
            "978-3-540-45474-8"
          ], 
          "name": "Recent Advances in Intrusion Detection", 
          "type": "Book"
        }, 
        "name": "Probabilistic Alert Correlation", 
        "pagination": "54-68", 
        "productId": [
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1007/3-540-45474-8_4"
            ]
          }, 
          {
            "name": "readcube_id", 
            "type": "PropertyValue", 
            "value": [
              "d702617a4e040da1b4f5e1b5ce9c9080b41c7f9c4a730d5834891dfc9082f0c7"
            ]
          }, 
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1045138349"
            ]
          }
        ], 
        "publisher": {
          "location": "Berlin, Heidelberg", 
          "name": "Springer Berlin Heidelberg", 
          "type": "Organisation"
        }, 
        "sameAs": [
          "https://doi.org/10.1007/3-540-45474-8_4", 
          "https://app.dimensions.ai/details/publication/pub.1045138349"
        ], 
        "sdDataset": "chapters", 
        "sdDatePublished": "2019-04-16T05:22", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000339_0000000339/records_109516_00000000.jsonl", 
        "type": "Chapter", 
        "url": "https://link.springer.com/10.1007%2F3-540-45474-8_4"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'


     

    This table displays all metadata directly associated to this object as RDF triples.

    86 TRIPLES      23 PREDICATES      27 URIs      19 LITERALS      8 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1007/3-540-45474-8_4 schema:about anzsrc-for:08
    2 anzsrc-for:0801
    3 schema:author Ncf0c8f7a41734a699daddef97845a0a0
    4 schema:citation sg:pub.10.1007/3-540-39945-3_6
    5 schema:datePublished 2001-09-27
    6 schema:datePublishedReg 2001-09-27
    7 schema:description With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps.
    8 schema:editor Nf8a4fd7f70e94576998563a0a18eefb1
    9 schema:genre chapter
    10 schema:inLanguage en
    11 schema:isAccessibleForFree true
    12 schema:isPartOf N53736ae2e13d43cca7f5fc60a9950939
    13 schema:name Probabilistic Alert Correlation
    14 schema:pagination 54-68
    15 schema:productId N41af54bad78d4ac4b52824d46fc1e83f
    16 Na2f9a9fdff784116822f51718a2cc245
    17 Nf00e753e8a664165a7eceb6cff6cbebc
    18 schema:publisher N295faa673f854c20ad64075f1abf1c7f
    19 schema:sameAs https://app.dimensions.ai/details/publication/pub.1045138349
    20 https://doi.org/10.1007/3-540-45474-8_4
    21 schema:sdDatePublished 2019-04-16T05:22
    22 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    23 schema:sdPublisher Neaf10898a74640cea56e539fd11dbd07
    24 schema:url https://link.springer.com/10.1007%2F3-540-45474-8_4
    25 sgo:license sg:explorer/license/
    26 sgo:sdDataset chapters
    27 rdf:type schema:Chapter
    28 N0a769c9527ad49f695105e816a9cfe11 schema:familyName
    29 schema:givenName Ludovic
    30 rdf:type schema:Person
    31 N0f716a90cd8d478ea080daf8c2a3d134 rdf:first sg:person.016617505623.98
    32 rdf:rest rdf:nil
    33 N13b504fdc6c84a4e99e150f54683c1be schema:familyName Lee
    34 schema:givenName Wenke
    35 rdf:type schema:Person
    36 N295faa673f854c20ad64075f1abf1c7f schema:location Berlin, Heidelberg
    37 schema:name Springer Berlin Heidelberg
    38 rdf:type schema:Organisation
    39 N41af54bad78d4ac4b52824d46fc1e83f schema:name readcube_id
    40 schema:value d702617a4e040da1b4f5e1b5ce9c9080b41c7f9c4a730d5834891dfc9082f0c7
    41 rdf:type schema:PropertyValue
    42 N53736ae2e13d43cca7f5fc60a9950939 schema:isbn 978-3-540-42702-5
    43 978-3-540-45474-8
    44 schema:name Recent Advances in Intrusion Detection
    45 rdf:type schema:Book
    46 N7d459cd2816d437f82cab057446b7ff8 rdf:first Neeea2496093d47bb8283c4f20dc62d43
    47 rdf:rest rdf:nil
    48 Na2f9a9fdff784116822f51718a2cc245 schema:name doi
    49 schema:value 10.1007/3-540-45474-8_4
    50 rdf:type schema:PropertyValue
    51 Nc182ae3c5d91481ba40710b82181adb6 rdf:first N0a769c9527ad49f695105e816a9cfe11
    52 rdf:rest N7d459cd2816d437f82cab057446b7ff8
    53 Ncf0c8f7a41734a699daddef97845a0a0 rdf:first sg:person.011174465163.92
    54 rdf:rest N0f716a90cd8d478ea080daf8c2a3d134
    55 Neaf10898a74640cea56e539fd11dbd07 schema:name Springer Nature - SN SciGraph project
    56 rdf:type schema:Organization
    57 Neeea2496093d47bb8283c4f20dc62d43 schema:familyName Wespi
    58 schema:givenName Andreas
    59 rdf:type schema:Person
    60 Nf00e753e8a664165a7eceb6cff6cbebc schema:name dimensions_id
    61 schema:value pub.1045138349
    62 rdf:type schema:PropertyValue
    63 Nf8a4fd7f70e94576998563a0a18eefb1 rdf:first N13b504fdc6c84a4e99e150f54683c1be
    64 rdf:rest Nc182ae3c5d91481ba40710b82181adb6
    65 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    66 schema:name Information and Computing Sciences
    67 rdf:type schema:DefinedTerm
    68 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
    69 schema:name Artificial Intelligence and Image Processing
    70 rdf:type schema:DefinedTerm
    71 sg:person.011174465163.92 schema:affiliation https://www.grid.ac/institutes/grid.98913.3a
    72 schema:familyName Valdes
    73 schema:givenName Alfonso
    74 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011174465163.92
    75 rdf:type schema:Person
    76 sg:person.016617505623.98 schema:affiliation https://www.grid.ac/institutes/grid.98913.3a
    77 schema:familyName Skinner
    78 schema:givenName Keith
    79 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016617505623.98
    80 rdf:type schema:Person
    81 sg:pub.10.1007/3-540-39945-3_6 schema:sameAs https://app.dimensions.ai/details/publication/pub.1053272897
    82 https://doi.org/10.1007/3-540-39945-3_6
    83 rdf:type schema:CreativeWork
    84 https://www.grid.ac/institutes/grid.98913.3a schema:alternateName SRI International
    85 schema:name SRI International, USA
    86 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...