[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: RE: IDS Correlation
From:       <huili () sei ! xjtu ! edu ! cn>
Date:       2000-03-22 9:11:11
[Download RAW message or body]

I think IDS correlation should be refer to the eveent correlation or threat analysis \
engine.It is not just simple association of same kinds of IDS alerts(of course \
association is basic),there should be more works than these.I think  the works \
needed:  1.put duplicate or similar alerts from different IDS together and give a \
concise report  2.put alerts of attacks from same source but different target \
altogether to get a complete attack scenario of hacker  3.pick up some attacks will \
span a period of time but with some internel clues which could be detected through \
inference on the attack history.For example hacker often \
scan---->exploit-------->install back door tools---------->stolen key \
files----->erase log.Each step may be triger different IDS to give alerts,if we can \
put these alerts altogether,it will be clear about the attack.                        \
  Have I leave something out about the task of correlation? welcome Re!3x

> I think you will find that the correlation systems on the market do a lot more than \
> just Intrusion Detection Systems. The correlation tools have expanded to numerous \
> devices including network devices, hosts, ids, firewalls, and even application \
> security. The definition of correlation varies widely with each company.  Some of \
> the products in the field only do correlation however I think the market will be \
> dominated by more threat analysis engines (explained later) not just correlation \
> tools. 
> The following is a listing of correlation techniques I have seen publicly.
> 
> Simple Correlation 
> The ability to see all events in a normalized format side by side in a single \
>                 perspective.
> Example: 
> 
> Checkpoint FW1    X.X.X.X Z.Z.Z.Z      accept
> Enterasys Dragon   X.X.X.X Z.Z.Z.Z      IISUNICODE
> ISS RealSecure      X.X.X.X Z.Z.Z.Z       Nimda_Worm
                                can you give me some explain about the xxxx.zzzz?3x


> 
> Cross Organization Correlation
> Managed Service Providers and Intelligence Service Providers can do this, (or at \
> least I hope so) you are trying to match similar events with a bit of fuzziness to \
> help customer come together as group in combating a threat. 
> Time by Event Correlation 
> Statistics Table holds key information about Event counts and Time period over \
> hosts. Picks up slow scans and that type of thing if you have lots of memory :> 
> Rules or Pattern Correlation 
> This is a manual process of configuring rules to act as a higher-level signature.
> IISUNICODE1 + IISUNICODE2 = NIMDA
> Grouping Correlation 
> This type primarily called classes this would group all of your ids events into a \
> similar fashion. For example: ids.detect.ddos might contain many DDOS signatures. 
> Vulnerability Name and Event Correlation.
> Well ladies and gentlemen, this is where is starts to get messy. This is a form of \
> correlation but I think it demands recognition as a higher level of analysis; I \
> usually call this a type of threat analysis engine because effectively you are \
> justifying threat or reducing the perceived threat in a useful manner. These are \
> getting more and more complex at least here at GuardedNet. I would encourage too \
> look more into a threat analysis tool than just a correlation tool. 
> I will be at the TechSec 2002 http://www.techsec.com Conference in April 7-10 \
> discussing these very topics.  
> Matthew F. Caldwell, CISSP 
> Chief Security Officer
> GuardedNet, Inc. 
> http://www.guarded.net
> Home of neuSECURE Threat Management Software
> 
> 
> 	-----Original Message----- 
> 	From: Àî»Ô [mailto:huili@sei.xjtu.edu.cn] 
> 	Sent: Tue 3/21/2000 9:49 PM 
> 	To: focus-ids@securityfocus.com 
> 	Cc: 
> 	Subject: IDS Correlation
> 	
> 	
> 
> 	hi,all
> 	  Recently I am focus on IDS correlation,but I am always thinking about the \
> questions:  1.Can correlation definitely improve the performance such as precison?
> 	  2.Maybe a comprehensive knowledge base about all kinds of IDS's alerts is \
> essential to correlation,but how can we acquire it?  3.Supposed that we have the \
> knowledge base,which kinds of method should we take to do correlation?  welcome all \
> kinds of comments about correlation.  
> 	


[prev in list] [next in list] [prev in thread] [next in thread]