Network forensics based on scenario reconstruction and alert aggregation

被引：0

作者：

Dong, Xiao-Mei ^{[1
]}

Zhao, Qian ^{[1
]}

Li, Xiao-Hua ^{[1
]}

Fei, Ya-Jie ^{[2
]}

机构：

[1] College of Information Science and Engineering, Northeastern University

[2] Department of Information Engineering, Shenyang Institute of Engineering

来源：

Dong, X.-M. (dongxiaomei@ise.neu.edu.cn) | 1600年 / Northeast University卷 / 29期

关键词：

Alert aggregation; Network forensics; Redundancy reduction; Scenario reconstruction;

D O I：

10.13195/j.kzyjc.2012.1764

中图分类号：

TP3 [计算技术、计算机技术];

学科分类号：

0812 ;

摘要：

A network forensics research method is proposed, which includes alert standardization, alert redundancy reduction, scenario reconstruction and alert aggregation. The interference of failed attacks to the forensics process is reduced by removing the failed alert. In the process of scenario reconstruction, with the method of inversely association, the unnecessary evidence can be removed. Moreover, isolated alerts are supplemented to ensure the integrity of evidence chain. In the process of alert aggregation, the method of merging different detailed alerts of the same step is proposed. The intrusion scenarios at the abstract layer and the specific layer are reconstructed respectively. Finally, experiments verify the effectiveness of the proposed method.

引用

页码：39 / 44

页数：5

共 13 条

[1] Ding L.P., Computer forensics technologies based on network traffics, Netinfo Security, 6, pp. 74-76, (2005)
[2] Curran K., Morrissey C., Fagan C., Et al., Monitoring hacker activity with a honeynet, Int J of Network Management, 15, 2, pp. 123-134, (2005)
[3] Valdes A., Skinner K., Probabilistic alert correlation, Proc of Int Conf on Recent Advances in Intrusion Detection (RAID'2001), pp. 54-68, (2001)
[4] Xu D., Peng N., Alert correlation through triggering events and common resources, Proc of ACSAC'2004, pp. 360-369, (2004)
[5] Zhou J., Heckman M., Reynolds B., Et al., Modeling network intrusion detection alerts for correlation, ACM Trans on Information and System Security, 10, 1, pp. 1-13, (2007)
[6] Peng N., Yun C., Douglas S., Techniques and tools for analyzing intrusion alerts, ACM Trans on Information and System Security, 7, 2, pp. 274-318, (2004)
[7] Qin X., Lee W., Statistical causality analysis of INFOSEC alert data, Proc of RAID'2003, pp. 73-93, (2003)
[8] Noel S., Robertson E., Jajodia S., Correlating intrusion events and building attack scenarios through attack graph distances, Proc of the 20th Annual Computer Security Applications Conf, pp. 350-359, (2004)
[9] Debar H., Wespi A., Aggregation and correlation of intrusion-detection alerts, Proc of the 4th Int Symposium on Recent Advances in Intrusion Detection, pp. 85-103, (2001)
[10] Locatelli F.E., Gaspary L.P., Melchiors C., Spotting intrusion scenarios from firewall logs through a case-based reasoning approach, Lecture Notes in Computer Science, 3278, pp. 196-207, (2004)

← 1 2 →