CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Effective and Efficient Intrusion Analysis

Peng Ning - NC State

Oct 20, 2004

Abstract

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. In this talk, I will present a series of techniques aimed at addressing this problem. These efforts start with an approach to constructing attack scenarios by correlating alerts on the basis of {em prerequisites} and {em consequences} of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, this method correlates alerts by (partially) matching the consequences of some prior alerts with the prerequisites of some later ones. In addition, I will present a method to automatically learn attack strategies from correlated alerts and to measure the similarity between sequences of attacks based on their strategies. Finally, I will talk about a recent approach we developed to hypothesize and reason about attacks potentially missed by IDSs.



Related website:
http://discovery.csc.ncsu.edu/Projects/AlertCorrelation

About the Speaker

Peng Ning is currently an assistant professor of Computer Science in the College of Engineering at North Carolina State University. He received his PhD degree in Information Technology from George Mason University in 2001. Prior to his PhD study, he received an ME degree in Communication and Electronic Systems in 1997, and a BS degree in Information Science in 1994, both from University of Science and Technology of China. Peng Ning\'s research interests are mainly in computer and network security. His recent work is mostly in intrusion detection and security in ad-hoc and sensor networks. Peng Ning\'s research has been supported by the National Science Foundation (NSF), the Army Research Office (ARO), the Advanced Research and Development Activity (ARDA), and the NCSU/Duke Center for Advanced Computing and Communication (CACC). Peng Ning is a founding member of the NCSU Cyber Defense Laboratory and the NCSU/Duke CACC. He is also a member of the ACM, the ACM SIGSAC, the IEEE, and the IEEE Computer Society.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.