Probabilistic Alert Correlation View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2001-09-27

AUTHORS

Alfonso Valdes , Keith Skinner

ABSTRACT

With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps. More... »

PAGES

54-68

References to SciGraph publications

  • 2000. Adaptive, Model-Based Monitoring for Cyber Attack Detection in RECENT ADVANCES IN INTRUSION DETECTION
  • Book

    TITLE

    Recent Advances in Intrusion Detection

    ISBN

    978-3-540-42702-5
    978-3-540-45474-8

    Author Affiliations

    Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4

    DOI

    http://dx.doi.org/10.1007/3-540-45474-8_4

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1045138349


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Artificial Intelligence and Image Processing", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "alternateName": "SRI International", 
              "id": "https://www.grid.ac/institutes/grid.98913.3a", 
              "name": [
                "SRI International, USA"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Valdes", 
            "givenName": "Alfonso", 
            "id": "sg:person.011174465163.92", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011174465163.92"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "SRI International", 
              "id": "https://www.grid.ac/institutes/grid.98913.3a", 
              "name": [
                "SRI International, USA"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Skinner", 
            "givenName": "Keith", 
            "id": "sg:person.016617505623.98", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016617505623.98"
            ], 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "sg:pub.10.1007/3-540-39945-3_6", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1053272897", 
              "https://doi.org/10.1007/3-540-39945-3_6"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2001-09-27", 
        "datePublishedReg": "2001-09-27", 
        "description": "With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps.", 
        "editor": [
          {
            "familyName": "Lee", 
            "givenName": "Wenke", 
            "type": "Person"
          }, 
          {
            "familyName": "M\u00e9", 
            "givenName": "Ludovic", 
            "type": "Person"
          }, 
          {
            "familyName": "Wespi", 
            "givenName": "Andreas", 
            "type": "Person"
          }
        ], 
        "genre": "chapter", 
        "id": "sg:pub.10.1007/3-540-45474-8_4", 
        "inLanguage": [
          "en"
        ], 
        "isAccessibleForFree": true, 
        "isPartOf": {
          "isbn": [
            "978-3-540-42702-5", 
            "978-3-540-45474-8"
          ], 
          "name": "Recent Advances in Intrusion Detection", 
          "type": "Book"
        }, 
        "name": "Probabilistic Alert Correlation", 
        "pagination": "54-68", 
        "productId": [
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1007/3-540-45474-8_4"
            ]
          }, 
          {
            "name": "readcube_id", 
            "type": "PropertyValue", 
            "value": [
              "d702617a4e040da1b4f5e1b5ce9c9080b41c7f9c4a730d5834891dfc9082f0c7"
            ]
          }, 
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1045138349"
            ]
          }
        ], 
        "publisher": {
          "location": "Berlin, Heidelberg", 
          "name": "Springer Berlin Heidelberg", 
          "type": "Organisation"
        }, 
        "sameAs": [
          "https://doi.org/10.1007/3-540-45474-8_4", 
          "https://app.dimensions.ai/details/publication/pub.1045138349"
        ], 
        "sdDataset": "chapters", 
        "sdDatePublished": "2019-04-16T05:22", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000339_0000000339/records_109516_00000000.jsonl", 
        "type": "Chapter", 
        "url": "https://link.springer.com/10.1007%2F3-540-45474-8_4"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/3-540-45474-8_4'


     

    This table displays all metadata directly associated to this object as RDF triples.

    86 TRIPLES      23 PREDICATES      27 URIs      19 LITERALS      8 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1007/3-540-45474-8_4 schema:about anzsrc-for:08
    2 anzsrc-for:0801
    3 schema:author Nd89da71411904a4eabe8d35179aaa6d7
    4 schema:citation sg:pub.10.1007/3-540-39945-3_6
    5 schema:datePublished 2001-09-27
    6 schema:datePublishedReg 2001-09-27
    7 schema:description With the growing deployment of host and network intrusion detection systems, managing reports from these systems becomes critically important. We present a probabilistic approach to alert correlation, extending ideas from multisensor data fusion. Features used for alert correlation are based on alert content that anticipates evolving IETF standards. The probabilistic approach provides a unified mathematical framework for correlating alerts that match closely but not perfectly, where the minimum degree of match required to fuse alerts is controlled by a single configurable parameter. Only features in common are considered in the fusion algorithm. For each feature we define an appropriate similarity function. The overall similarity is weighted by a specifiable expectation of similarity. In addition, a minimum similarity may be specified for some or all features. Features in this set must match at least as well as the minimum similarity specification in order to combine alerts, regardless of the goodness of match on the feature set as a whole. Our approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps.
    8 schema:editor N2140cef9a3f941a39ac91e1c3f876c19
    9 schema:genre chapter
    10 schema:inLanguage en
    11 schema:isAccessibleForFree true
    12 schema:isPartOf N3f8d74d810c84e8ea6a008b0b9d1375b
    13 schema:name Probabilistic Alert Correlation
    14 schema:pagination 54-68
    15 schema:productId N23f4330613e64b5ba5865c5b194c1ea7
    16 N9cbeb81f9d404122b1ed0baaecedc945
    17 Nd00331d010e64636acbceef458a53547
    18 schema:publisher N0149592169d245e1b4ff308504d5669d
    19 schema:sameAs https://app.dimensions.ai/details/publication/pub.1045138349
    20 https://doi.org/10.1007/3-540-45474-8_4
    21 schema:sdDatePublished 2019-04-16T05:22
    22 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    23 schema:sdPublisher N040402f06c06498ba1f6d15dba6b82f3
    24 schema:url https://link.springer.com/10.1007%2F3-540-45474-8_4
    25 sgo:license sg:explorer/license/
    26 sgo:sdDataset chapters
    27 rdf:type schema:Chapter
    28 N0149592169d245e1b4ff308504d5669d schema:location Berlin, Heidelberg
    29 schema:name Springer Berlin Heidelberg
    30 rdf:type schema:Organisation
    31 N040402f06c06498ba1f6d15dba6b82f3 schema:name Springer Nature - SN SciGraph project
    32 rdf:type schema:Organization
    33 N2140cef9a3f941a39ac91e1c3f876c19 rdf:first N8a4fcc4b9de3458aaa6f596871ef71d3
    34 rdf:rest N621131a8010b456187c287d816bfa18a
    35 N23f4330613e64b5ba5865c5b194c1ea7 schema:name doi
    36 schema:value 10.1007/3-540-45474-8_4
    37 rdf:type schema:PropertyValue
    38 N3f8d74d810c84e8ea6a008b0b9d1375b schema:isbn 978-3-540-42702-5
    39 978-3-540-45474-8
    40 schema:name Recent Advances in Intrusion Detection
    41 rdf:type schema:Book
    42 N621131a8010b456187c287d816bfa18a rdf:first Nf68f665093e647c6b45859d9c9e3a670
    43 rdf:rest Nb4b4fed62fbd48f8b8bbc2dce56609e7
    44 N691c7cfcc27a44bb81dedcf7a69ee202 rdf:first sg:person.016617505623.98
    45 rdf:rest rdf:nil
    46 N8a4fcc4b9de3458aaa6f596871ef71d3 schema:familyName Lee
    47 schema:givenName Wenke
    48 rdf:type schema:Person
    49 N9cbeb81f9d404122b1ed0baaecedc945 schema:name dimensions_id
    50 schema:value pub.1045138349
    51 rdf:type schema:PropertyValue
    52 Na33b09aa608941e9b38952e553851b25 schema:familyName Wespi
    53 schema:givenName Andreas
    54 rdf:type schema:Person
    55 Nb4b4fed62fbd48f8b8bbc2dce56609e7 rdf:first Na33b09aa608941e9b38952e553851b25
    56 rdf:rest rdf:nil
    57 Nd00331d010e64636acbceef458a53547 schema:name readcube_id
    58 schema:value d702617a4e040da1b4f5e1b5ce9c9080b41c7f9c4a730d5834891dfc9082f0c7
    59 rdf:type schema:PropertyValue
    60 Nd89da71411904a4eabe8d35179aaa6d7 rdf:first sg:person.011174465163.92
    61 rdf:rest N691c7cfcc27a44bb81dedcf7a69ee202
    62 Nf68f665093e647c6b45859d9c9e3a670 schema:familyName
    63 schema:givenName Ludovic
    64 rdf:type schema:Person
    65 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    66 schema:name Information and Computing Sciences
    67 rdf:type schema:DefinedTerm
    68 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
    69 schema:name Artificial Intelligence and Image Processing
    70 rdf:type schema:DefinedTerm
    71 sg:person.011174465163.92 schema:affiliation https://www.grid.ac/institutes/grid.98913.3a
    72 schema:familyName Valdes
    73 schema:givenName Alfonso
    74 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011174465163.92
    75 rdf:type schema:Person
    76 sg:person.016617505623.98 schema:affiliation https://www.grid.ac/institutes/grid.98913.3a
    77 schema:familyName Skinner
    78 schema:givenName Keith
    79 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016617505623.98
    80 rdf:type schema:Person
    81 sg:pub.10.1007/3-540-39945-3_6 schema:sameAs https://app.dimensions.ai/details/publication/pub.1053272897
    82 https://doi.org/10.1007/3-540-39945-3_6
    83 rdf:type schema:CreativeWork
    84 https://www.grid.ac/institutes/grid.98913.3a schema:alternateName SRI International
    85 schema:name SRI International, USA
    86 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...