Statistical Causality Analysis of INFOSEC Alert Data View Full Text


Ontology type: schema:Chapter     


Chapter Info

DATE

2003

AUTHORS

Xinzhou Qin , Wenke Lee

ABSTRACT

With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA’s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated. More... »

PAGES

73-93

Book

TITLE

Recent Advances in Intrusion Detection

ISBN

978-3-540-40878-9
978-3-540-45248-5

Author Affiliations

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5

DOI

http://dx.doi.org/10.1007/978-3-540-45248-5_5

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1040339087


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Artificial Intelligence and Image Processing", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "Georgia Institute of Technology", 
          "id": "https://www.grid.ac/institutes/grid.213917.f", 
          "name": [
            "Georgia Institute of Technology, College of Computing, 30332, Atlanta, GA, USA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Qin", 
        "givenName": "Xinzhou", 
        "id": "sg:person.016165000537.89", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016165000537.89"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Georgia Institute of Technology", 
          "id": "https://www.grid.ac/institutes/grid.213917.f", 
          "name": [
            "Georgia Institute of Technology, College of Computing, 30332, Atlanta, GA, USA"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Lee", 
        "givenName": "Wenke", 
        "id": "sg:person.014402357505.82", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014402357505.82"
        ], 
        "type": "Person"
      }
    ], 
    "citation": [
      {
        "id": "https://doi.org/10.1145/586110.586144", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1005140811"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/3-540-36084-0_5", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1014116851", 
          "https://doi.org/10.1007/3-540-36084-0_5"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/3-540-45474-8_6", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1028240787", 
          "https://doi.org/10.1007/3-540-45474-8_6"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/3-540-45474-8_6", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1028240787", 
          "https://doi.org/10.1007/3-540-45474-8_6"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/978-0-387-34890-2_25", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1029366571", 
          "https://doi.org/10.1007/978-0-387-34890-2_25"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/978-0-387-34890-2_24", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1032937365", 
          "https://doi.org/10.1007/978-0-387-34890-2_24"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/3-540-36084-0_6", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1033538885", 
          "https://doi.org/10.1007/3-540-36084-0_6"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/3-540-45474-8_4", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1045138349", 
          "https://doi.org/10.1007/3-540-45474-8_4"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1007/3-540-45474-8_4", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1045138349", 
          "https://doi.org/10.1007/3-540-45474-8_4"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1145/775047.775101", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1047028566"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "sg:pub.10.1023/a:1015910917349", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1047385361", 
          "https://doi.org/10.1023/a:1015910917349"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1093/biomet/65.2.297", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1059418747"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/65.244794", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1061205410"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/msecp.2003.1176995", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1061421770"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.2307/1912791", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1069640326"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/infcom.1993.253408", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1086265988"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1137/1.9781611972726.13", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1088799864"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/discex.2003.1194892", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1093692431"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/secpri.2002.1004372", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1094346769"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/secpri.2002.1004372", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1094346769"
        ], 
        "type": "CreativeWork"
      }, 
      {
        "id": "https://doi.org/10.1109/inm.2001.918069", 
        "sameAs": [
          "https://app.dimensions.ai/details/publication/pub.1094983441"
        ], 
        "type": "CreativeWork"
      }
    ], 
    "datePublished": "2003", 
    "datePublishedReg": "2003-01-01", 
    "description": "With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA\u2019s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated.", 
    "editor": [
      {
        "familyName": "Vigna", 
        "givenName": "Giovanni", 
        "type": "Person"
      }, 
      {
        "familyName": "Kruegel", 
        "givenName": "Christopher", 
        "type": "Person"
      }, 
      {
        "familyName": "Jonsson", 
        "givenName": "Erland", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-540-45248-5_5", 
    "inLanguage": [
      "en"
    ], 
    "isAccessibleForFree": false, 
    "isPartOf": {
      "isbn": [
        "978-3-540-40878-9", 
        "978-3-540-45248-5"
      ], 
      "name": "Recent Advances in Intrusion Detection", 
      "type": "Book"
    }, 
    "name": "Statistical Causality Analysis of INFOSEC Alert Data", 
    "pagination": "73-93", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1040339087"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-540-45248-5_5"
        ]
      }, 
      {
        "name": "readcube_id", 
        "type": "PropertyValue", 
        "value": [
          "c028831e1902f4d40ca7c3c1ee65927f2a3cdf8911176548e9947d844e317ded"
        ]
      }
    ], 
    "publisher": {
      "location": "Berlin, Heidelberg", 
      "name": "Springer Berlin Heidelberg", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-540-45248-5_5", 
      "https://app.dimensions.ai/details/publication/pub.1040339087"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2019-04-16T08:01", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000359_0000000359/records_29197_00000002.jsonl", 
    "type": "Chapter", 
    "url": "https://link.springer.com/10.1007%2F978-3-540-45248-5_5"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-540-45248-5_5'


 

This table displays all metadata directly associated to this object as RDF triples.

143 TRIPLES      23 PREDICATES      45 URIs      20 LITERALS      8 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-540-45248-5_5 schema:about anzsrc-for:08
2 anzsrc-for:0801
3 schema:author N819cfce55fab451b8d02ae09bb4db9da
4 schema:citation sg:pub.10.1007/3-540-36084-0_5
5 sg:pub.10.1007/3-540-36084-0_6
6 sg:pub.10.1007/3-540-45474-8_4
7 sg:pub.10.1007/3-540-45474-8_6
8 sg:pub.10.1007/978-0-387-34890-2_24
9 sg:pub.10.1007/978-0-387-34890-2_25
10 sg:pub.10.1023/a:1015910917349
11 https://doi.org/10.1093/biomet/65.2.297
12 https://doi.org/10.1109/65.244794
13 https://doi.org/10.1109/discex.2003.1194892
14 https://doi.org/10.1109/infcom.1993.253408
15 https://doi.org/10.1109/inm.2001.918069
16 https://doi.org/10.1109/msecp.2003.1176995
17 https://doi.org/10.1109/secpri.2002.1004372
18 https://doi.org/10.1137/1.9781611972726.13
19 https://doi.org/10.1145/586110.586144
20 https://doi.org/10.1145/775047.775101
21 https://doi.org/10.2307/1912791
22 schema:datePublished 2003
23 schema:datePublishedReg 2003-01-01
24 schema:description With the increasingly widespread deployment of security mechanisms, such as firewalls, intrusion detection systems (IDSs), antivirus software and authentication services, the problem of alert analysis has become very important. The large amount of alerts can overwhelm security administrators and prevent them from adequately understanding and analyzing the security state of the network, and initiating appropriate response in a timely fashion. Recently, several approaches for alert correlation and attack scenario analysis have been proposed. However, these approaches all have limited capabilities in detecting new attack scenarios. In this paper, we study the problem of security alert correlation with an emphasis on attack scenario analysis. In our framework, we use clustering techniques to process low-level alert data into high-level aggregated alerts, and conduct causal analysis based on statistical tests to discover new relationships among attacks. Our statistical causality approach complements other approaches that use hard-coded prior knowledge for pattern matching. We perform a series of experiments to validate our method using DARPA’s Grand Challenge Problem (GCP) datasets and the DEF CON 9 datasets. The results show that our approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated.
25 schema:editor Nc60e87a99abb4a099f2e417456631e2e
26 schema:genre chapter
27 schema:inLanguage en
28 schema:isAccessibleForFree false
29 schema:isPartOf Nc01a41d7cf164735b70e4a5ef0ecf51d
30 schema:name Statistical Causality Analysis of INFOSEC Alert Data
31 schema:pagination 73-93
32 schema:productId N1cc183d3af5a4ec8994dadc22846eaf9
33 N975c9d7348144c75a24ff20005afccfc
34 Neff930cc01ba4d43abb2910f2a46d77f
35 schema:publisher N84adfb6928aa4a908c559fb228dc1c69
36 schema:sameAs https://app.dimensions.ai/details/publication/pub.1040339087
37 https://doi.org/10.1007/978-3-540-45248-5_5
38 schema:sdDatePublished 2019-04-16T08:01
39 schema:sdLicense https://scigraph.springernature.com/explorer/license/
40 schema:sdPublisher N4f75feea6c314267804164d7d5d3b4d7
41 schema:url https://link.springer.com/10.1007%2F978-3-540-45248-5_5
42 sgo:license sg:explorer/license/
43 sgo:sdDataset chapters
44 rdf:type schema:Chapter
45 N1cc183d3af5a4ec8994dadc22846eaf9 schema:name readcube_id
46 schema:value c028831e1902f4d40ca7c3c1ee65927f2a3cdf8911176548e9947d844e317ded
47 rdf:type schema:PropertyValue
48 N25ce70b5122d483cbd85847c6aa2044e schema:familyName Vigna
49 schema:givenName Giovanni
50 rdf:type schema:Person
51 N304794b26e6f406ebcbf4270311dce76 schema:familyName Kruegel
52 schema:givenName Christopher
53 rdf:type schema:Person
54 N4f75feea6c314267804164d7d5d3b4d7 schema:name Springer Nature - SN SciGraph project
55 rdf:type schema:Organization
56 N738e6949fde74c6b88fb6e5f2e0822d8 schema:familyName Jonsson
57 schema:givenName Erland
58 rdf:type schema:Person
59 N7febc5a0c4cf4f2091b74b064246d149 rdf:first N738e6949fde74c6b88fb6e5f2e0822d8
60 rdf:rest rdf:nil
61 N819cfce55fab451b8d02ae09bb4db9da rdf:first sg:person.016165000537.89
62 rdf:rest Ndecd7f8ce6bf4ef1ab00a114f5320d53
63 N84adfb6928aa4a908c559fb228dc1c69 schema:location Berlin, Heidelberg
64 schema:name Springer Berlin Heidelberg
65 rdf:type schema:Organisation
66 N975c9d7348144c75a24ff20005afccfc schema:name dimensions_id
67 schema:value pub.1040339087
68 rdf:type schema:PropertyValue
69 Nc01a41d7cf164735b70e4a5ef0ecf51d schema:isbn 978-3-540-40878-9
70 978-3-540-45248-5
71 schema:name Recent Advances in Intrusion Detection
72 rdf:type schema:Book
73 Nc60e87a99abb4a099f2e417456631e2e rdf:first N25ce70b5122d483cbd85847c6aa2044e
74 rdf:rest Nd9cfad7c467b449382dfb9a5c9c291d8
75 Nd9cfad7c467b449382dfb9a5c9c291d8 rdf:first N304794b26e6f406ebcbf4270311dce76
76 rdf:rest N7febc5a0c4cf4f2091b74b064246d149
77 Ndecd7f8ce6bf4ef1ab00a114f5320d53 rdf:first sg:person.014402357505.82
78 rdf:rest rdf:nil
79 Neff930cc01ba4d43abb2910f2a46d77f schema:name doi
80 schema:value 10.1007/978-3-540-45248-5_5
81 rdf:type schema:PropertyValue
82 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
83 schema:name Information and Computing Sciences
84 rdf:type schema:DefinedTerm
85 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
86 schema:name Artificial Intelligence and Image Processing
87 rdf:type schema:DefinedTerm
88 sg:person.014402357505.82 schema:affiliation https://www.grid.ac/institutes/grid.213917.f
89 schema:familyName Lee
90 schema:givenName Wenke
91 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014402357505.82
92 rdf:type schema:Person
93 sg:person.016165000537.89 schema:affiliation https://www.grid.ac/institutes/grid.213917.f
94 schema:familyName Qin
95 schema:givenName Xinzhou
96 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016165000537.89
97 rdf:type schema:Person
98 sg:pub.10.1007/3-540-36084-0_5 schema:sameAs https://app.dimensions.ai/details/publication/pub.1014116851
99 https://doi.org/10.1007/3-540-36084-0_5
100 rdf:type schema:CreativeWork
101 sg:pub.10.1007/3-540-36084-0_6 schema:sameAs https://app.dimensions.ai/details/publication/pub.1033538885
102 https://doi.org/10.1007/3-540-36084-0_6
103 rdf:type schema:CreativeWork
104 sg:pub.10.1007/3-540-45474-8_4 schema:sameAs https://app.dimensions.ai/details/publication/pub.1045138349
105 https://doi.org/10.1007/3-540-45474-8_4
106 rdf:type schema:CreativeWork
107 sg:pub.10.1007/3-540-45474-8_6 schema:sameAs https://app.dimensions.ai/details/publication/pub.1028240787
108 https://doi.org/10.1007/3-540-45474-8_6
109 rdf:type schema:CreativeWork
110 sg:pub.10.1007/978-0-387-34890-2_24 schema:sameAs https://app.dimensions.ai/details/publication/pub.1032937365
111 https://doi.org/10.1007/978-0-387-34890-2_24
112 rdf:type schema:CreativeWork
113 sg:pub.10.1007/978-0-387-34890-2_25 schema:sameAs https://app.dimensions.ai/details/publication/pub.1029366571
114 https://doi.org/10.1007/978-0-387-34890-2_25
115 rdf:type schema:CreativeWork
116 sg:pub.10.1023/a:1015910917349 schema:sameAs https://app.dimensions.ai/details/publication/pub.1047385361
117 https://doi.org/10.1023/a:1015910917349
118 rdf:type schema:CreativeWork
119 https://doi.org/10.1093/biomet/65.2.297 schema:sameAs https://app.dimensions.ai/details/publication/pub.1059418747
120 rdf:type schema:CreativeWork
121 https://doi.org/10.1109/65.244794 schema:sameAs https://app.dimensions.ai/details/publication/pub.1061205410
122 rdf:type schema:CreativeWork
123 https://doi.org/10.1109/discex.2003.1194892 schema:sameAs https://app.dimensions.ai/details/publication/pub.1093692431
124 rdf:type schema:CreativeWork
125 https://doi.org/10.1109/infcom.1993.253408 schema:sameAs https://app.dimensions.ai/details/publication/pub.1086265988
126 rdf:type schema:CreativeWork
127 https://doi.org/10.1109/inm.2001.918069 schema:sameAs https://app.dimensions.ai/details/publication/pub.1094983441
128 rdf:type schema:CreativeWork
129 https://doi.org/10.1109/msecp.2003.1176995 schema:sameAs https://app.dimensions.ai/details/publication/pub.1061421770
130 rdf:type schema:CreativeWork
131 https://doi.org/10.1109/secpri.2002.1004372 schema:sameAs https://app.dimensions.ai/details/publication/pub.1094346769
132 rdf:type schema:CreativeWork
133 https://doi.org/10.1137/1.9781611972726.13 schema:sameAs https://app.dimensions.ai/details/publication/pub.1088799864
134 rdf:type schema:CreativeWork
135 https://doi.org/10.1145/586110.586144 schema:sameAs https://app.dimensions.ai/details/publication/pub.1005140811
136 rdf:type schema:CreativeWork
137 https://doi.org/10.1145/775047.775101 schema:sameAs https://app.dimensions.ai/details/publication/pub.1047028566
138 rdf:type schema:CreativeWork
139 https://doi.org/10.2307/1912791 schema:sameAs https://app.dimensions.ai/details/publication/pub.1069640326
140 rdf:type schema:CreativeWork
141 https://www.grid.ac/institutes/grid.213917.f schema:alternateName Georgia Institute of Technology
142 schema:name Georgia Institute of Technology, College of Computing, 30332, Atlanta, GA, USA
143 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...