Title

Active Event Correlation In Bro Ids To Detect Multi-Stage Attacks

Abstract

Many recent computer attacks have been launched in multiple stages to evade the detection of existing Intrusion Detection Systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challending for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, Active Event Correlation (AEC), which collects and correlates suspicious network events inside a Network Intrusion Detection System (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS [13]. Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts. © 2006 IEEE.

Publication Date

11-17-2006

Publication Title

Proceedings - Fourth IEEE International Workshop on Information Assurance, IWIA 2006

Volume

2006

Number of Pages

32-50

Document Type

Article; Proceedings Paper

Personal Identifier

scopus

DOI Link

https://doi.org/10.1109/IWIA.2006.2

Socpus ID

33750950133 (Scopus)

Source API URL

https://api.elsevier.com/content/abstract/scopus_id/33750950133

This document is currently not available here.

Share

COinS