A logic-based model to support alert correlation in intrusion detection

被引:54
|
作者
Morin, Benjamin [1 ]
Me, Ludovic [1 ]
Debar, Herve [2 ]
Ducasse, Mireille [3 ]
机构
[1] Supelec, F-35576 Cesson Sevigne, France
[2] Orange Labs, F-14066 Caen, France
[3] IRISA, F-35042 Rennes, France
关键词
Intrusion detection; Alert correlation; Data model;
D O I
10.1016/j.inffus.2009.01.005
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems. (C) 2009 Elsevier B.V. All rights reserved.
引用
收藏
页码:285 / 299
页数:15
相关论文
共 50 条
  • [21] A logic-based axiomatic model of bargaining
    Zhang, Dongmo
    [J]. ARTIFICIAL INTELLIGENCE, 2010, 174 (16-17) : 1307 - 1322
  • [22] Fuzzy logic-based forecasting model
    Frantti, T
    Mähönen, P
    [J]. ENGINEERING APPLICATIONS OF ARTIFICIAL INTELLIGENCE, 2001, 14 (02) : 189 - 201
  • [23] Logic-based detection of conflicts in APPEL policies
    Montangero, Carlo
    Reiff-Marganiec, Stephan
    Semini, Laura
    [J]. INTERNATIONAL SYMPOSIUM ON FUNDAMENTALS OF SOFTWARE ENGINEERING, PROCEEDINGS, 2007, 4767 : 257 - +
  • [24] HCAM: A context-aware middleware to support logic-based context conflict detection
    Rao, Ruonan
    Ye, Guangchang
    You, Jinyuan
    [J]. 2007 SECOND INTERNATIONAL CONFERENCE IN COMMUNICATIONS AND NETWORKING IN CHINA, VOLS 1 AND 2, 2007, : 259 - 263
  • [25] Logic-based Conflict Detection for Distributed Policies
    Montangero, Carlo
    Reiff-Marganiec, Stephan
    Semini, Laura
    [J]. FUNDAMENTA INFORMATICAE, 2008, 89 (04) : 511 - 538
  • [26] An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge
    Salem Benferhat
    Abdelhamid Boudjelida
    Karim Tabia
    Habiba Drias
    [J]. Applied Intelligence, 2013, 38 : 520 - 540
  • [27] An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge
    Benferhat, Salem
    Boudjelida, Abdelhamid
    Tabia, Karim
    Drias, Habiba
    [J]. APPLIED INTELLIGENCE, 2013, 38 (04) : 520 - 540
  • [28] A fuzzy logic-based method for outliers detection
    Cateni, S.
    Colla, V.
    Vannucci, M.
    [J]. PROCEEDINGS OF THE IASTED INTERNATIONAL CONFERENCE ON ARTIFICIAL INTELLIGENCE AND APPLICATIONS, 2007, : 561 - +
  • [29] Logic-based decision support for strategic environmental assessment
    Gavanelli, Marco
    Riguzzi, Fabrizio
    Milano, Michela
    Cagnoli, Paolo
    [J]. THEORY AND PRACTICE OF LOGIC PROGRAMMING, 2010, 10 : 643 - 658
  • [30] A logic-based framework for reasoning support in software evolution
    Vescoukis, VC
    Papaspyrou, N
    Skordalakis, E
    [J]. ADVANCED INFORMATION SYSTEMS ENGINEERING, 1996, 1080 : 44 - 59