كشف بلادرنگ سناريوهاي حمله از طريق همبسته سازي هشدارهاي سيستم تشخيص نفوذ

چكيده انگليسي :

Real Time Attack Scenario Detection via Intrusion Detection Alert Correlation Zeinab Zali z zali@ec iut ac ir Date of Submission April 2009 Department of Electrical and Computer Engineering Isfahan University of Technology Isfahan 84156 83111 Iran Degree M Sc Language FarsiSupervisor Hossein Saidi hsaidi@cc iut ac irAbstractComputer networks are essential in today s information society These networks are usually connected to theglobal internet network Since security had not been considered as one of the original internet design goals inrecent decades securing networks against attacks has become very much important Nowadays varioussecurity systems and tools such as Intrusion Detection Systems IDS are deployed in networks to providesecurity When an IDS observes any suspicious events representing an unauthorized access abuse or harmfulactivity damaging systems and computer networks it produces some alerts But extracting useful informationfrom these alerts is not as easy 1 IDSs may flag a large number of alerts every day thus flooding alerts andoverwhelming the security officers 2 Among the alerts produced by IDSs false alerts are mixed with trueones 3 IDSs cannot detect all the attempts of attacks and may miss some alerts 4 There are some causalrelationships between continuous steps of an attack scenario but IDSs do not detect correlations among thealerts Therefore analyzing the alerts is necessary for extracting useful information from thousands of alertsproduced by one or more IDSs We can suppose each alert as a symptom of a low level attack Alertcorrelation is a process of analyzing alerts produced by one or more intrusion detection systems This processaims to provide a high level view of occurring or attempted intrusions Alert correlation systems attempt todiscover the relations among IDS alerts to determine the attack scenarios and their main motivations The main purpose of this thesis is to propose a new IDS alert correlation method to detect attackscenarios in real time After reviewing the literature on alert correlation the main issues and challenges areanalyzed and a new method is proposed The proposed method is based on causal approach due to thestrength of causal methods in practice Most of causal methods can be deployed offline but not in real timedue to time and memory limitations In the proposed method the knowledge base of attack patterns isrepresented in a graph model called Causal Relations Graph This graph contains low level attack patterns inthe form of their prerequisites and consequences In addition it is a clear representation of causal relationsamong the low level attacks In causal methods after receiving each alert a search is performed on theknowledge base of attack patterns to find correlated alerts But our proposed algorithm consists of twodisjoint parts Before receiving any alerts for each attack pattern we do a search to discover all itscorrelations with other attacks The result of each search is saved as a tree In real time for each receivedalert we can find its correlations with previously received alerts by doing a search in the only correspondingtree Thus processing time of each alert decreases significantly In addition the proposed method is immuneto the deliberately slowed attacks For demonstrating the proposed method we implement it in C We useDARPA2000 dataset to test it Experimental results show the correctness of proposed alert correlation and itsefficiency with respect to the run time Key WordsAttack Intrusion Attack Scenario Intrusion Detection System Alert Alert Correlation Graph

زالي، زينب

كشف بلادرنگ سناريوهاي حمله از طريق همبسته سازي هشدارهاي سيستم تشخيص نفوذ

امنيت شبكه هاي كامپيوتري , هم جوشي هشدارها , روش TVA