2003 | OriginalPaper | Buchkapitel
Enhanced Correlation in an Intrusion Detection Process
verfasst von : Salem Benferhat, Fabien Autrel, Frédéric Cuppens
Erschienen in: Computer Network Security
Verlag: Springer Berlin Heidelberg
Enthalten in: Professional Book Archive
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Generally, the intruder must perform several actions, organized in an intrusion scenario, to achieve his or her malicious objective. Actions are represented by their pre and post conditions, which are a set of logical predicates or negations of predicates. Pre conditions of an action correspond to conditions the system’s state must satisfy to perform the action. Post conditions correspond to the effects of executing the action on the system’s state.When an intruder begins his intrusion, we can deduce, from the alerts generated by IDSs, several possible scenarios, by correlating attacks, that leads to multiple intrusion objectives. However, with no further analysis, we are not able to decide which are the most plausible ones among those possible scenarios. We propose in this paper to define an order over the possible scenarios by weighting the correlation relations between successive attacks composing the scenarios. These weights reflect to what level executing some actions are necessary to execute some action B. We will see that to be satisfactory, the comparison operator between two scenarios must satisfy some properties.