Skip to main content
SpringerLink
Log in

Correlation of Intrusion Symptoms: An Application of Chronicles

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Included in the following conference series:

Abstract

In this paper, we propose a multi-alarm misuse correlation component based on the chronicles formalism. Chronicles provide a high level declarative language and a recognition system that is used in other areas where dynamic systems are monitored. This formalism allows us to reduce the number of alarms shipped to the operator and enhances the quality of the diagnosis provided.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: a formal data model for intrusion alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  2. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for Statebased Intrusion Detection, Dept. of Computer Science, University of California, Santa Barbara (2000)

    Google Scholar 

  3. Roger, M., Goubault-Larrecq, J.: Log Auditing Through Model-Checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, CSFW 2001 (2001)

    Google Scholar 

  4. Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In: Proceedings of the IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  5. McDermott, D.V.: A Temporal Logic for Reasoning about Processes and Plans. Cognitive Science, 101–155 (1982)

    Google Scholar 

  6. Bacchus, F., Tenenberg, J., Koomen, J.A.: A non-reified Temporal Logic. Artificial Intelligence, 87–108 (1991)

    Google Scholar 

  7. Allen, J.: Towards a General Theory of Action and Time. Artificial Intelligence, 123–154 (1984)

    Google Scholar 

  8. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion Detection Alerts. In: Proceedings of the 4th Recent Advances in Intrusion Detection (RAID 2001) (October 2000)

    Google Scholar 

  9. Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking 34(34) (October 2000)

    Google Scholar 

  10. Dousson, C., Gaborit, P., Ghallab, M.: Situation Recognition: Representation and Algorithms. In: Proceedings of the 13th IJCAI, August 1993, pp. 166–172 (1993)

    Google Scholar 

  11. Dousson, C.: Suivi d’évolutions et reconnaissance de chroniques, PhD Thesis (1994), http://dli.rd.francetelecom.fr/abc/diagnostic/

  12. Dousson, C.: Alarm Driven Supervision for Telecommunication Networks: Online Chronicle Recognition. Annales des Telecommunications, 501–508 (1996)

    Google Scholar 

  13. Dousson, C.: Extending and Unifying Chronicles Representation with Event Counters. In: Proceedings of the 15th European Conference on Artificial Intelligence (ECAI 2002) (August 2002)

    Google Scholar 

  14. Cordier, M.O., Dousson, C.: Alarm Driven Monitoring Based on Chronicles. In: Proceedings of the 4th Symposium on Fault Detection Supervision and Safety for Technical Processes (Safeprocess 2000), June 2000, pp. 286–291 (2000)

    Google Scholar 

  15. Debar, H., Huang, M.Y., Donahoo, D.J.: Intrusion Detection Exchange Format Data Model. IETF Draft (2002)

    Google Scholar 

  16. Shoham, Y.: Temporal Logics in AI: Semantical and Ontological Considerations. Journal of Artificial Intelligence 89–104 (1987)

    Google Scholar 

  17. Dechter, R., Meiri, I., Pearl, J.: Temporal Constraint Networks. Artificial Intelligence, 61–95 (1991)

    Google Scholar 

  18. Jakobson, G., Weissman, M.D.: Alarm correlation. IEEE Network Magazine, 52–60 (1993)

    Google Scholar 

  19. Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th ACSAC (December 2001)

    Google Scholar 

  20. Manganaris, S., et al.: A Data Mining Analysis of RTID Alarms. In: First International Workshop on the Recent Advances in Intrusion Detection (RAID 1998) (September 1998)

    Google Scholar 

  21. Pouzol, J.P., Ducassé, M.: From Declarative Signatures to Misuse IDS. In: Proceedings of the 4th Recent Advances in Intrusion Detection, RAID (2001)

    Google Scholar 

  22. Pouzol, J.P., Ducassé, M.: Formal Specification of Intrusion Signatures and Detection Rules. In: Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW) (2002)

    Google Scholar 

  23. Cuppens, F.: Managing Alerts in Multi-Intrusion Detection Environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001) (2001)

    Google Scholar 

  24. Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the IEEE Symposium on Security and Privacy (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. France Télécom R&D, Caen, France

    Benjamin Morin & Hervé Debar

Authors
  1. Benjamin Morin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Morin, B., Debar, H. (2003). Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation