| Search the Collection|Browse Subjects|Services|Library Information|Community |News & Events | |
|
|
|
|
|
|
|
|
||||
|
|||||||
Type of Document Master's Thesis Author Hu, Yiquan , Author's Email Address hyqhyq@yahoo.com URN etd-12312003-014322 Title TIAA: A Toolkit for Intrusion Alert Analysis Degree Master of Science Graduate Program Computer Science Advisory Committee
Advisor Name Title Peng Ning Committee Chair Douglas S. Reeves Committee Member Rudra Dutta Committee Member Keywords
- Attack Scenario Analysis
- Alert Correlation
Date of Defense 2003-12-30 Availability unrestricted Abstract HU, YIQUAN. TIAA: A Toolkit for Intrusion Alert Analysis. (Under the direction of Dr. PengNing.)
Intrusion Detection has been studied for about twenty years. Intrusion Detection Systems (IDSs)
are usually considered to be the second line of defense to protect against malicious activities along
with the prevention-based security mechanisms such as authentication and access control. How-
ever, traditional IDSs have two major limitations. First, they usually focus on low-level attacks or
anomalies, and raise alerts independently, although there may be logical connections between them.
Second, in a typical environment there are a lot of false alerts reported by traditional IDSs, which
are mixed with true alerts. Thus, the intrusion analysts or the system administrators are often
overwhelmed by the volume of alerts.
To address the aforementioned problems and thus to improve the usability of the current IDSs,
the Toolkit for Intrusion Alert Analysis (TIAA) [17] is developed. The primary goal of TIAA is
to provide system support for interactive analysis of intrusion alerts reported by traditional IDSs.
TIAA is based on the alert correlation techniques previously developed in [16] and [15]. In addition,
several new utilities are developed to facilitate the analysis of potentially large sets of intrusion alerts.
More speci¯cally, these new utilities include alert aggregation/disaggregation, clustering analysis,
frequency analysis, link analysis, and association analysis. Finally, TIAA includes two additional
visual representations of analysis results besides the hyper-alert correlation graphs proposed in [16],
making it easier for a human analyst to understand the analysis results. It is envisaged that a
human analyst and TIAA form a man-machine team, with TIAA performing automated tasks such
as intrusion alert correlation and execution of analysis utilities, and the human analyst deciding
what sets of alerts to analyze and how the analysis utilities are applied.
This thesis presents the implementation of TIAA, including several analysis utilities, an improved
alert collection system, and an integrated analysis environment with a user-friendly graphical user
interface (GUI). This thesis also reports several experiments that evaluate the TIAA system using
DARPA 2000 datasets and Cyber Panel Grand Challenge Problem datasets. The experimental
results show that the TIAA system can greatly improve the analysis of intrusion alerts, and can
cooperate with general underlying IDSs.
Files
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access etd.pdf 2.30 Mb 00:10:38 00:05:28 00:04:47 00:02:23 00:00:12