2003
AUTHORS ABSTRACTWith the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA’s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated. More... »
PAGES73-93
Recent Advances in Intrusion Detection
ISBN
978-3-540-40878-9
978-3-540-45248-5
http://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5
DOIhttp://dx.doi.org/10.1007/978-3-540-45248-5_5
DIMENSIONShttps://app.dimensions.ai/details/publication/pub.1040339087
JSON-LD is the canonical representation for SciGraph data.
TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT
[
{
"@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json",
"about": [
{
"id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801",
"inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/",
"name": "Artificial Intelligence and Image Processing",
"type": "DefinedTerm"
},
{
"id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08",
"inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/",
"name": "Information and Computing Sciences",
"type": "DefinedTerm"
}
],
"author": [
{
"affiliation": {
"alternateName": "Georgia Institute of Technology",
"id": "https://www.grid.ac/institutes/grid.213917.f",
"name": [
"Georgia Institute of Technology, College of Computing, 30332, Atlanta, GA, USA"
],
"type": "Organization"
},
"familyName": "Qin",
"givenName": "Xinzhou",
"id": "sg:person.016165000537.89",
"sameAs": [
"https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016165000537.89"
],
"type": "Person"
},
{
"affiliation": {
"alternateName": "Georgia Institute of Technology",
"id": "https://www.grid.ac/institutes/grid.213917.f",
"name": [
"Georgia Institute of Technology, College of Computing, 30332, Atlanta, GA, USA"
],
"type": "Organization"
},
"familyName": "Lee",
"givenName": "Wenke",
"id": "sg:person.014402357505.82",
"sameAs": [
"https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014402357505.82"
],
"type": "Person"
}
],
"citation": [
{
"id": "https://doi.org/10.1145/586110.586144",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1005140811"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/3-540-36084-0_5",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1014116851",
"https://doi.org/10.1007/3-540-36084-0_5"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/3-540-45474-8_6",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1028240787",
"https://doi.org/10.1007/3-540-45474-8_6"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/3-540-45474-8_6",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1028240787",
"https://doi.org/10.1007/3-540-45474-8_6"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/978-0-387-34890-2_25",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1029366571",
"https://doi.org/10.1007/978-0-387-34890-2_25"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/978-0-387-34890-2_24",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1032937365",
"https://doi.org/10.1007/978-0-387-34890-2_24"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/3-540-36084-0_6",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1033538885",
"https://doi.org/10.1007/3-540-36084-0_6"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/3-540-45474-8_4",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1045138349",
"https://doi.org/10.1007/3-540-45474-8_4"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1007/3-540-45474-8_4",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1045138349",
"https://doi.org/10.1007/3-540-45474-8_4"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1145/775047.775101",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1047028566"
],
"type": "CreativeWork"
},
{
"id": "sg:pub.10.1023/a:1015910917349",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1047385361",
"https://doi.org/10.1023/a:1015910917349"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1093/biomet/65.2.297",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1059418747"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/65.244794",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1061205410"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/msecp.2003.1176995",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1061421770"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.2307/1912791",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1069640326"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/infcom.1993.253408",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1086265988"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1137/1.9781611972726.13",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1088799864"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/discex.2003.1194892",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1093692431"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/secpri.2002.1004372",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1094346769"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/secpri.2002.1004372",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1094346769"
],
"type": "CreativeWork"
},
{
"id": "https://doi.org/10.1109/inm.2001.918069",
"sameAs": [
"https://app.dimensions.ai/details/publication/pub.1094983441"
],
"type": "CreativeWork"
}
],
"datePublished": "2003",
"datePublishedReg": "2003-01-01",
"description": "With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA\u2019s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated.",
"editor": [
{
"familyName": "Vigna",
"givenName": "Giovanni",
"type": "Person"
},
{
"familyName": "Kruegel",
"givenName": "Christopher",
"type": "Person"
},
{
"familyName": "Jonsson",
"givenName": "Erland",
"type": "Person"
}
],
"genre": "chapter",
"id": "sg:pub.10.1007/978-3-540-45248-5_5",
"inLanguage": [
"en"
],
"isAccessibleForFree": false,
"isPartOf": {
"isbn": [
"978-3-540-40878-9",
"978-3-540-45248-5"
],
"name": "Recent Advances in Intrusion Detection",
"type": "Book"
},
"name": "Statistical Causality Analysis of INFOSEC Alert Data",
"pagination": "73-93",
"productId": [
{
"name": "dimensions_id",
"type": "PropertyValue",
"value": [
"pub.1040339087"
]
},
{
"name": "doi",
"type": "PropertyValue",
"value": [
"10.1007/978-3-540-45248-5_5"
]
},
{
"name": "readcube_id",
"type": "PropertyValue",
"value": [
"c028831e1902f4d40ca7c3c1ee65927f2a3cdf8911176548e9947d844e317ded"
]
}
],
"publisher": {
"location": "Berlin, Heidelberg",
"name": "Springer Berlin Heidelberg",
"type": "Organisation"
},
"sameAs": [
"https://doi.org/10.1007/978-3-540-45248-5_5",
"https://app.dimensions.ai/details/publication/pub.1040339087"
],
"sdDataset": "chapters",
"sdDatePublished": "2019-04-16T08:01",
"sdLicense": "https://scigraph.springernature.com/explorer/license/",
"sdPublisher": {
"name": "Springer Nature - SN SciGraph project",
"type": "Organization"
},
"sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000359_0000000359/records_29197_00000002.jsonl",
"type": "Chapter",
"url": "https://link.springer.com/10.1007%2F978-3-540-45248-5_5"
}
]
Download the RDF metadata as: json-ld nt turtle xml License info
JSON-LD is a popular format for linked data which is fully compatible with JSON.
curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'
N-Triples is a line-based linked data format ideal for batch operations.
curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'
Turtle is a human-readable linked data format.
curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'
RDF/XML is a standard XML format for linked data.
curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'
This table displays all metadata directly associated to this object as RDF triples.
143 TRIPLES
23 PREDICATES
45 URIs
20 LITERALS
8 BLANK NODES