CAPABILITY MODEL BASED ALERT CORRELATION


Most of the existing intrusion detection systems (IDS) often generate large numbers of alerts which contain numerous false positives and non relevant positives. Alert correlation techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network. Capability based alert correlator uses notion of capability to correlate IDS alerts where capability is the abstract view of attack extracted from IDS alerts/alert. To make correlation process semantically correct and systematic, there is a need to identify the algebraic and set properties of capabilities. In this work, the potential algebraic properties of capability are identified in terms of operations, relations and inferences. These properties give better insight to understand the logical association between capabilities which are helpful in making the system modular. A variant of correlation algorithm is presented which uses these algebraic properties. To make these operations more realistic, existing capability model has been extended by adding time-based notion which helps to avoid temporal ambiguity between capability instances. We also propose Attack Capability Modeling language (ACML) used for capability model. It is a specification and description language that has been utilized to express the capability gained by attacker at each step in the intrusion process. These capabilities have been defined using the IDS alerts. The language also provides for the specification of compete attack scenarios in terms of capabilities of the intruder. This, in turn, helps to determine the state of the system in terms of the extent of infiltration. ACML helps to avoid ambiguity in capability specifications while sharing among developers. We also propose Attack capability modeling framework (ACMF) which forms the basis of a capability model-based semi-automated alert correlation process, which has been used to detect and identify the attack scenarios from IDS alerts. Additionally, the language also has features for customizing the definitions of these structures as well as for customizing the correlation algorithm.

Download full thesis pdf