| Search the Collection|Browse Subjects|Services|Library Information|Community |News & Events | |
|
|
|
|
|
|
|
|
||||
|
|||||||
Type of Document Master's Thesis Author Mahalati, Jaideep , Author's Email Address jmahala@ncsu.edu URN etd-08072005-234228 Title Facilitating Alert Correlation Using Resource Trees Degree Master of Science Graduate Program Computer Science Advisory Committee
Advisor Name Title Dr. Peng Ning Committee Chair Dr. Douglas S. Reeves Committee Member Dr. Ting Yu Committee Member Keywords
- Resource Tree
- Alert Correlation
- Intrusion Detection
Date of Defense 2005-08-05 Availability unrestricted Abstract With the steady increase in the number of attacks against networksand hosts, security systems such as intrusion detection systems
are widely deployed into networks. Intrusion detection systems may
flag large numbers of alerts, where false alerts are mixed with
true ones. To understand the security threats and take appropriate
actions, it is necessary to perform alert correlation. One class
of alert correlation methods is the prerequisite and consequence
based approach, where the prerequisite
of an attack is the necessary condition to launch the attack, and
the consequence of an attack is the possible outcome if the attack
succeeds. Through matching the consequence of earlier attacks with
the prerequisites of later ones, attack scenarios can be
discovered. However, one limitation of these approaches is that
the specification of prerequisites and consequences for different
alert types usually is time-consuming and error-prone. To address
this limitation, this thesis proposes a resource tree based method
to facilitate the specification of prerequisites and consequences.
Attacks can be viewed from the perspective of resources. Example
resources include various network services and privileges. This
thesis further organizes resources into trees, where the nodes in
the trees are labelled with conditions (represented by
predicates). To specify the prerequisite and consequence of an
attack, it is required to look for the desirable resource trees
related to the attack's prerequisite and consequence, then
traverse the trees to find the appropriate nodes, and finally
select the suitable predicates to put into the prerequisite and
consequence. This approach is simple and less expert-dependent.
The usability study and comprehensiveness study (with more than
3000 alert types) demonstrate the effectiveness of this
approach. Correlation results with different datasets further show
that prerequisites and consequences defined using our methodology
can be effectively used for alert correlation.
Files
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access etd.pdf 770.28 Kb 00:03:33 00:01:50 00:01:36 00:00:48 00:00:04