Sciweavers

NDSS
2005
IEEE

Enriching Intrusion Alerts Through Multi-Host Causality

14 years 5 months ago
Enriching Intrusion Alerts Through Multi-Host Causality
Current intrusion detection systems point out suspicious states or events but do not show how the suspicious state or events relate to other states or events in the system. We show how to enrich an IDS alert with information about how those alerts causally lead to or result from other events in the system. By enriching IDS alerts with this type of causal information, we can leverage existing IDS alerts to learn more about the suspected attack. Backward causal graphs can be used to find which host allowed a multi-hop attack (such as a worm) to enter a local network; forward causal graphs can be used to find the other hosts that were affected by the multi-hop attack. We demonstrate this use of causality on a local network by tracking the Slapper worm, a manual attack that spreads via several attack vectors, and an e-mail virus. Causality can also be used to correlate distinct network and host IDS alerts. We demonstrate this use of causality by correlating Snort and host IDS alerts to ...
Samuel T. King, Zhuoqing Morley Mao, Dominic G. Lu
Added 25 Jun 2010
Updated 25 Jun 2010
Type Conference
Year 2005
Where NDSS
Authors Samuel T. King, Zhuoqing Morley Mao, Dominic G. Lucchetti, Peter M. Chen
Comments (0)