Work in Progress - Tracking Correlated Attacks in Enterprise Intranets through Lattices

Abstract

Tracking attacks caused by correlation between malicious hosts is a rapidly growing research area. In this work-in-progress paper, we propose a lattice-based visualization method to capture the correlation between malicious hosts in an enterprise internal network. We present the design of L-BIDS (lattice-based intrusion detection system) in which the nodes represent the causal and correlated properties of the network messages. In order to track the propagation of a distributed denial of service (DDoS) attack, L-BIDS nodes are highlighted with different colors based on their role within the attack. The colored structure of nodes in an L-BIDS lattice allow us to obtain a concise intrusion signature, therefore, simplifies the tracking of the propagation of the DDoS attack. In our preliminary L-BIDS model, the analysis of the network data is off-line