Real-time multistage attack awareness through enhanced intrusion alert clustering

Sunu Mathew; Daniel Britt; Richard Giomundo; Shambhu Upadhyaya; Moises Sudit; Adam Stotz

doi:10.1109/MILCOM.2005.1605934

Real-time multistage attack awareness through enhanced intrusion alert clustering

Sunu Mathew
, Daniel Britt
, Richard Giomundo
, Shambhu Upadhyaya
, Moises Sudit
, Adam Stotz

SUNY Buffalo

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

16 Scopus citations

Abstract

Correlation and fusion of intrusion alerts to provide effective Situation Awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example, and demonstrate that this effectively improves real-time Situation Awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios.

Original language	English
Title of host publication	MILCOM 2005
Subtitle of host publication	Military Communications Conference 2005
DOIs	https://doi.org/10.1109/MILCOM.2005.1605934
State	Published - 2005
Event	MILCOM 2005: Military Communications Conference 2005 - Atlatnic City, NJ, United States Duration: Oct 17 2005 → Oct 20 2005

Publication series

Name	Proceedings - IEEE Military Communications Conference MILCOM
Volume	2005

Conference

Conference	MILCOM 2005: Military Communications Conference 2005
Country/Territory	United States
City	Atlatnic City, NJ
Period	10/17/05 → 10/20/05

Access to Document

10.1109/MILCOM.2005.1605934

Cite this

@inproceedings{326b17097d2141308f7b85145606ac0f,

title = "Real-time multistage attack awareness through enhanced intrusion alert clustering",

abstract = "Correlation and fusion of intrusion alerts to provide effective Situation Awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example, and demonstrate that this effectively improves real-time Situation Awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios.",

author = "Sunu Mathew and Daniel Britt and Richard Giomundo and Shambhu Upadhyaya and Moises Sudit and Adam Stotz",

year = "2005",

doi = "10.1109/MILCOM.2005.1605934",

language = "English",

isbn = "0780393937",

series = "Proceedings - IEEE Military Communications Conference MILCOM",

booktitle = "MILCOM 2005",

note = "MILCOM 2005: Military Communications Conference 2005 ; Conference date: 17-10-2005 Through 20-10-2005",

}

Mathew, S, Britt, D, Giomundo, R, Upadhyaya, S , Sudit, M & Stotz, A 2005, Real-time multistage attack awareness through enhanced intrusion alert clustering. in MILCOM 2005: Military Communications Conference 2005., 1605934, Proceedings - IEEE Military Communications Conference MILCOM, vol. 2005, MILCOM 2005: Military Communications Conference 2005, Atlatnic City, NJ, United States, 10/17/05. https://doi.org/10.1109/MILCOM.2005.1605934

Real-time multistage attack awareness through enhanced intrusion alert clustering. / Mathew, Sunu; Britt, Daniel; Giomundo, Richard et al.
MILCOM 2005: Military Communications Conference 2005. 2005. 1605934 (Proceedings - IEEE Military Communications Conference MILCOM; Vol. 2005).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Real-time multistage attack awareness through enhanced intrusion alert clustering

AU - Mathew, Sunu

AU - Britt, Daniel

AU - Giomundo, Richard

AU - Upadhyaya, Shambhu

AU - Sudit, Moises

AU - Stotz, Adam

PY - 2005

Y1 - 2005

N2 - Correlation and fusion of intrusion alerts to provide effective Situation Awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example, and demonstrate that this effectively improves real-time Situation Awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios.

AB - Correlation and fusion of intrusion alerts to provide effective Situation Awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example, and demonstrate that this effectively improves real-time Situation Awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios.

UR - https://www.scopus.com/pages/publications/33847407583

U2 - 10.1109/MILCOM.2005.1605934

DO - 10.1109/MILCOM.2005.1605934

M3 - Conference contribution

AN - SCOPUS:33847407583

SN - 0780393937

SN - 9780780393936

T3 - Proceedings - IEEE Military Communications Conference MILCOM

BT - MILCOM 2005

T2 - MILCOM 2005: Military Communications Conference 2005

Y2 - 17 October 2005 through 20 October 2005

ER -

Real-time multistage attack awareness through enhanced intrusion alert clustering

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this