Peng Ning, Yun Cui, Douglas S. Reeves. "Constructing Attack Scenarios through Correlation of Intrusion Alerts". In Proceedings of the 9th ACM Conference on Computer & Communications Security. Pages 245-254. Washington D.C. November 2002. Summary by Cristina Abad This paper presents a practical technique for constructing attack scenarios by correlating alerts by using the prerequisites and consequences of intrusions. Alerts are correlated by partially matching the consequence of some previous alerts with the prerequisite of some later ones. Currently, intrusion detection systems present to the user a large number of alerts that are not part of actual attacks. The proposed method helps the user identify alerts that are likely part of attacks (by correlating them). The problem with the solution is that not all alerts that are part of an attack are correlated and relying on the correlation of alerts can give the user a false sense of security. Unlike other similar solutions, prerequisites are optional (they may not have occurred), and consequences are possible, not actual consequences. Instead of checking if several hyper-alerts satisfy the prerequisite of a later one, the proposed method checks if an earlier hyper-alert contributes to the prerequisite of a later one. The authors also list several definitions that help define better the solution, including a couple that assigns temporal constraints for hyper-alerts. After correlating the alerts, the system is able to generate a hyper-alert correlation graph, which is an intuitive representation of attack scenarios and also reveals opportunities to improve intrusion detection. Implementation issues are considered and performance is evaluated by analyzing experimental results obtained by using the 2000 DARPA intrusion detection scenario specific datasets. PROS: By Greg Koenig: * One big advantage of the system described in the paper is that it greatly reduces the impact of false alerts by creating a mechanism for differentiating alerts. * The system described in the paper provides a correlated view of alerts at a high level. This view can reveal the causal relationships between parts of an attack and show the strategies employed by attackers. In my opinion, developing a lexicon of such strategies would be a worthwhile goal in computer security research. * The method used by the authors allows their system to correlate alerts even if the IDS fails to detect some related attacks. * The authors tested their system against the 2000 DARPA intrusion detection scenario datasets. While testing against such datasets is not the only testing that a system should undergo, I think it is important for the domain of computer security research to use such work to establish a common baseline by which research can be compared. * The authors have a real implementation of their system in Java which they use to produce experimental results. By Jalal Al-Muhtadi: * The paper addresses a common problem for IDS, where IDSes can give unmanageable numbers of alerts when a large attack is in progress. The paper tries to solve this problem by trying to correlate events and predict attacks beforehand. * Extends the JIGSAW system with additional capabilities including alert aggregation and partial prerequisite satisfaction. * Adopts a simple formalism for representing and capturing causal relationships. This representation uses graphs and simple logic statements, making it easy to add new rules and evaluate the current situation. CONS: By Geetanjali Sampemane: * The database of prerequisites/consequences has to be manually compiled (apparently) and that is a difficult task. * It is not clear how many attacks are multi-stage in a way that this sort of graph is useful; if most of them are just of the form that abuffer overflow gives root access after which the attacker can do anything, this method may be overkill. * This method might be useful to correlate information from a set of IDSes, but they don't seem to be doing that yet. EVALUATION: Strong Accept: 1 Weak Accept: 7 Weak Reject: 0 Strong Reject: 0