Stellar: a fusion system for scenario construction and security risk assessment

Third IEEE International Workshop on Information Assurance (IWIA'05) Pub Date : 2005-03-23 DOI:10.1109/IWIA.2005.16

Stephen W. Boyer, Oliver Dain, R. Cunningham

{"title":"Stellar: a fusion system for scenario construction and security risk assessment","authors":"Stephen W. Boyer, Oliver Dain, R. Cunningham","doi":"10.1109/IWIA.2005.16","DOIUrl":null,"url":null,"abstract":"Stellar is a real-time system which aggregates and correlates alerts from heterogeneous network defense systems, building scenarios and estimating the security risk of the entire scenario. Prior work considered Stellar scenario formation; in this paper we explore the advantages provided by using scenario context to assess the risk of actions occurring on a network. We describe the design and an evaluation of Stellar and its Security Assessment Declarative Language (SADL), a fast, stateful, simple-to-use language for assessing the priority of scenarios, on a high traffic network under constant attack. The evaluation of the Stellar system deployed on a large, operational enterprise network demonstrated its ability to scale to high alert volumes while accurately forming and prioritizing scenarios. Stellar not only produced high priority scenarios matching all incidents reported by human analysts, but also discovered additional scenarios of concern that had initially gone unnoticed. Furthermore, by following the simple formalism embedded in example SADL rules, system administrators quickly develop a correct understanding of the network they are protecting.","PeriodicalId":247477,"journal":{"name":"Third IEEE International Workshop on Information Assurance (IWIA'05)","volume":"660 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"18","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Third IEEE International Workshop on Information Assurance (IWIA'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWIA.2005.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 18

Abstract

Stellar is a real-time system which aggregates and correlates alerts from heterogeneous network defense systems, building scenarios and estimating the security risk of the entire scenario. Prior work considered Stellar scenario formation; in this paper we explore the advantages provided by using scenario context to assess the risk of actions occurring on a network. We describe the design and an evaluation of Stellar and its Security Assessment Declarative Language (SADL), a fast, stateful, simple-to-use language for assessing the priority of scenarios, on a high traffic network under constant attack. The evaluation of the Stellar system deployed on a large, operational enterprise network demonstrated its ability to scale to high alert volumes while accurately forming and prioritizing scenarios. Stellar not only produced high priority scenarios matching all incidents reported by human analysts, but also discovered additional scenarios of concern that had initially gone unnoticed. Furthermore, by following the simple formalism embedded in example SADL rules, system administrators quickly develop a correct understanding of the network they are protecting.

查看原文本刊更多论文

恒星:场景构建与安全风险评估的融合系统

Stellar是一个实时系统，它聚合和关联来自异构网络防御系统的警报，构建场景并估计整个场景的安全风险。先前的工作考虑了恒星情景形成;在本文中，我们探讨了使用场景上下文来评估网络上发生的行为风险所提供的优势。我们描述了恒星及其安全评估声明语言(SADL)的设计和评估，SADL是一种快速，有状态，易于使用的语言，用于评估持续攻击的高流量网络中的场景优先级。对部署在大型运营企业网络上的恒星系统的评估表明，它能够在准确形成和优先考虑场景的同时扩展到高警戒量。恒星不仅生成了与人类分析师报告的所有事件相匹配的高优先级场景，而且还发现了最初未被注意到的其他关注场景。此外，通过遵循示例SADL规则中嵌入的简单形式，系统管理员可以迅速对他们所保护的网络形成正确的理解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Third IEEE International Workshop on Information Assurance (IWIA'05)

自引率

0.00%

发文量