Reduce False Alerts, Uncover High-Level Attack Strategies and Predict Attacks in Progress Using Prerequisites of Intrusions

使用入侵先决条件减少误报、发现高级攻击策略并预测正在进行的攻击

• 批准号: 0207297
• 负责人: Peng Ning
• 金额: $ 33万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2002
• 资助国家: 美国
• 起止时间: 2002-07-01 至 2006-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0207297&HistoricalAwards=false
• 关键词: Reduce; False; Alerts; Uncover; Level

Current intrusion detection systems (IDSs) usually generate many false alerts and often do not detect novel attacks or variations of known attacks. Moreover, most existing IDSs focus on low-level attacks oranomalies; none capture the logical steps or strategies behind these attacks. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the number ofalerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the nature of the attack and to take appropriate actions.To address these issues, this project will investigate techniques to correlate intrusion alerts on the basis of the prerequisites and consequences of attacks. The research uses a formal and rigorousapproach to study the fundamental issues involved in alert correlation, including representation of prerequisites and consequences of attacks, efficient algorithms to process alerts, expressiveness of the high-level representation mechanisms, effectiveness of the technique in reducing false alerts, impact offalse alerts and undetected attacks on the technique, and methods to predict attacks in progress. Expected impacts of the proposed research include (1) a reduction in the number of false alerts, (2) identification of attackers' high-level strategies, and (3) early configuration of effective defenses against attacks in progress. If successful, the research will lead to better tools for intrusiondetection and thus to improved computer and network security.

目前的入侵检测系统通常会产生许多错误警报，并且通常不能检测到新的攻击或已知攻击的变体。此外，大多数现有的入侵检测侧重于低级别的攻击或异常；没有一个捕获这些攻击背后的逻辑步骤或策略。在有密集入侵的情况下，不仅实际警报与虚假警报混杂在一起，而且警报的数量也将变得无法管理。因此，人类用户或入侵响应系统很难理解攻击的性质并采取适当的行动。为了解决这些问题，该项目将研究根据攻击的先决条件和后果关联入侵警报的技术。该研究使用形式化和严谨的方法来研究警报关联所涉及的基本问题，包括攻击的先决条件和后果的表示、处理警报的高效算法、高级表示机制的表达、该技术在减少虚假警报、对该技术的影响和未检测到的攻击方面的有效性以及预测正在进行的攻击的方法。拟议研究的预期影响包括(1)减少错误警报的数量，(2)识别攻击者的高级策略，以及(3)及早配置针对正在进行的攻击的有效防御。如果成功，这项研究将带来更好的入侵检测工具，从而改善计算机和网络安全。