Title: Modelling intrusion for intrusion tolerance system by correlating alerts from IDS sensor

Authors: Liang-Min Wang, Jian-Feng Ma, Yong-Zhao Zhan

Addresses: The Key Laboratory of Computer Network and Information Security, Ministry of Education, Xidian University, Xi'an 710071, PRC; The Computer Security Laboratory, The Department of Computer Science, Jiangsu University, Zhenjiang 212013, PRC. ' The Key Laboratory of Computer Network and Information Security, Ministry of Education, Xidian University, Xi'an 710071, PRC. ' The Computer Security Laboratory, The Department of Computer Science, Jiangsu University, Zhenjiang 212013, PRC

Abstract: Modelling the intrusion is an open problem in Intrusion Tolerance System. But we find that alerts from the sensors of Intrusion Detection System (IDS) are helpful to solve this problem. An intrusion model based on correlating these alerts is presented in this paper, in which we place our emphasis on correlating these alerts to the intruders| inherence. Firstly, we correlate the alerts from IDS sensor into meta-attack in the constructing algorithm and then define cover as the reduction of meta-attack. Secondly, we transform the cover to intrusion model and give the proofs of the equivalences among intrusion model, meta-attack and its cover. Thirdly, we present an algorithm for describing the intrusion model without employing manual work. Finally, we do some correlation experiments to evaluate and show the performances of both the intrusion model and the algorithms for constructing and describing this model.

Keywords: intrusion models; intrusion tolerance systems; ITS; alert correlation; intrusion detection systems; IDS sensors; sensor alerts; meta-attack reduction; automation.

DOI: 10.1504/IJAAC.2007.013300

International Journal of Automation and Control, 2007 Vol.1 No.1, pp.100 - 114

Published online: 19 Apr 2007 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article