{"title":"主动事件关联在Bro IDS检测多阶段攻击","authors":"Bing Chen, Joohan Lee, A. Wu","doi":"10.1109/IWIA.2006.2","DOIUrl":null,"url":null,"abstract":"Many recent computer attacks have been launched in multiple stages to evade the detection of existing intrusion detection systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challenging for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, active event correlation (AEC), which collects and correlates suspicious network events inside a network intrusion detection system (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS (Paxson, 1999). Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"103 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":"{\"title\":\"Active event correlation in Bro IDS to detect multi-stage attacks\",\"authors\":\"Bing Chen, Joohan Lee, A. Wu\",\"doi\":\"10.1109/IWIA.2006.2\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many recent computer attacks have been launched in multiple stages to evade the detection of existing intrusion detection systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challenging for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, active event correlation (AEC), which collects and correlates suspicious network events inside a network intrusion detection system (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS (Paxson, 1999). Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts\",\"PeriodicalId\":156960,\"journal\":{\"name\":\"Fourth IEEE International Workshop on Information Assurance (IWIA'06)\",\"volume\":\"103 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-04-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Fourth IEEE International Workshop on Information Assurance (IWIA'06)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IWIA.2006.2\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWIA.2006.2","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Active event correlation in Bro IDS to detect multi-stage attacks
Many recent computer attacks have been launched in multiple stages to evade the detection of existing intrusion detection systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challenging for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, active event correlation (AEC), which collects and correlates suspicious network events inside a network intrusion detection system (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS (Paxson, 1999). Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
