Sciweavers

Share
COMCOM
2006

Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts

8 years 10 months ago
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
To defend against multi-step intrusions in high-speed networks, efficient algorithms are needed to correlate isolated alerts into attack scenarios. Existing correlation methods usually employ an in-memory index for fast searches among received alerts. With finite memory, the index can only be built on a limited number of alerts inside a sliding window. Knowing this fact, an attacker can prevent two attack steps from both falling into the sliding window by either passively delaying the second step or actively injecting bogus alerts between the two steps. In either case, the correlation effort is defeated. In this paper, we first address the above issue with a novel queue graph (QG) approach. Instead of searching all the received alerts for those that prepare for a new alert, we only search for the latest alert of each type. The correlation between the new alert and other alerts is implicitly represented using the temporal order between alerts. Consequently, our approach can correlate a...
Lingyu Wang, Anyi Liu, Sushil Jajodia
Added 11 Dec 2010
Updated 11 Dec 2010
Type Journal
Year 2006
Where COMCOM
Authors Lingyu Wang, Anyi Liu, Sushil Jajodia
Comments (0)
books