CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

A Multi-Sensor Model to Improve Automated Attack Detection

Magnus Almgren (Institutionen för data- och informationsteknik, Datorteknik (Chalmers)) ; Ulf Lindqvist ; Erland Jonsson (Institutionen för data- och informationsteknik, Datorteknik (Chalmers))
11th International Symposium, RAID 2008, Cambridge, MA, USA, September 15-17, 2008. Lecture Notes in Computer Science Vol. 5230/2008 (2008), p. 291-310.
[Konferensbidrag, refereegranskat]

Most intrusion detection systems available today are using a single audit source for detection, even though attacks have distinct manifestations in different parts of the system. In this paper we investigate how to use the alerts from several audit sources to improve the accuracy of the intrusion detection system (IDS). Concentrating on web server attacks, we design a theoretical model to automatically reason about alerts from different sensors, thereby also giving security operators a better understanding of possible attacks against their systems. Our model takes sensor status and capability into account, and therefore enables reasoning about the absence of expected alerts. We require an explicit model for each sensor in the system, which allows us to reason about the quality of information from each particular sensor and to resolve apparent contradictions in a set of alerts. Our model, which is built using Bayesian networks, needs some initial parameter values that can be provided by the IDS operator. We apply this model in two different scenarios for web server security. The scenarios show the importance of having a model that dynamically can adapt to local transitional traffic conditions, such as encrypted requests, when using conflicting evidence from sensors to reason about attacks.

Nyckelord: intrusion detection - alert reasoning

Denna post skapades 2008-10-14. Senast ändrad 2015-02-26.
CPL Pubid: 75377


Läs direkt!

Länk till annan sajt (kan kräva inloggning)

Institutioner (Chalmers)

Institutionen för data- och informationsteknik, Datorteknik (Chalmers)


Övrig informationsteknik

Chalmers infrastruktur

Relaterade publikationer

Denna publikation ingår i:

Techniques for Improving Intrusion Detection