[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: Re: RE: IDS Correlation
From: <huili () sei ! xjtu ! edu ! cn>
Date: 2000-03-22 9:11:11
[Download RAW message or body]
I think IDS correlation should be refer to the eveent correlation or threat analysis \
engine.It is not just simple association of same kinds of IDS alerts(of course \
association is basic),there should be more works than these.I think the works \
needed: 1.put duplicate or similar alerts from different IDS together and give a \
concise report 2.put alerts of attacks from same source but different target \
altogether to get a complete attack scenario of hacker 3.pick up some attacks will \
span a period of time but with some internel clues which could be detected through \
inference on the attack history.For example hacker often \
scan---->exploit-------->install back door tools---------->stolen key \
files----->erase log.Each step may be triger different IDS to give alerts,if we can \
put these alerts altogether,it will be clear about the attack. \
Have I leave something out about the task of correlation? welcome Re!3x
> I think you will find that the correlation systems on the market do a lot more than \
> just Intrusion Detection Systems. The correlation tools have expanded to numerous \
> devices including network devices, hosts, ids, firewalls, and even application \
> security. The definition of correlation varies widely with each company. Some of \
> the products in the field only do correlation however I think the market will be \
> dominated by more threat analysis engines (explained later) not just correlation \
> tools.
> The following is a listing of correlation techniques I have seen publicly.
>
> Simple Correlation
> The ability to see all events in a normalized format side by side in a single \
> perspective.
> Example:
>
> Checkpoint FW1 X.X.X.X Z.Z.Z.Z accept
> Enterasys Dragon X.X.X.X Z.Z.Z.Z IISUNICODE
> ISS RealSecure X.X.X.X Z.Z.Z.Z Nimda_Worm
can you give me some explain about the xxxx.zzzz?3x
>
> Cross Organization Correlation
> Managed Service Providers and Intelligence Service Providers can do this, (or at \
> least I hope so) you are trying to match similar events with a bit of fuzziness to \
> help customer come together as group in combating a threat.
> Time by Event Correlation
> Statistics Table holds key information about Event counts and Time period over \
> hosts. Picks up slow scans and that type of thing if you have lots of memory :>
> Rules or Pattern Correlation
> This is a manual process of configuring rules to act as a higher-level signature.
> IISUNICODE1 + IISUNICODE2 = NIMDA
> Grouping Correlation
> This type primarily called classes this would group all of your ids events into a \
> similar fashion. For example: ids.detect.ddos might contain many DDOS signatures.
> Vulnerability Name and Event Correlation.
> Well ladies and gentlemen, this is where is starts to get messy. This is a form of \
> correlation but I think it demands recognition as a higher level of analysis; I \
> usually call this a type of threat analysis engine because effectively you are \
> justifying threat or reducing the perceived threat in a useful manner. These are \
> getting more and more complex at least here at GuardedNet. I would encourage too \
> look more into a threat analysis tool than just a correlation tool.
> I will be at the TechSec 2002 http://www.techsec.com Conference in April 7-10 \
> discussing these very topics.
> Matthew F. Caldwell, CISSP
> Chief Security Officer
> GuardedNet, Inc.
> http://www.guarded.net
> Home of neuSECURE Threat Management Software
>
>
> -----Original Message-----
> From: Àî»Ô [mailto:huili@sei.xjtu.edu.cn]
> Sent: Tue 3/21/2000 9:49 PM
> To: focus-ids@securityfocus.com
> Cc:
> Subject: IDS Correlation
>
>
>
> hi,all
> Recently I am focus on IDS correlation,but I am always thinking about the \
> questions: 1.Can correlation definitely improve the performance such as precison?
> 2.Maybe a comprehensive knowledge base about all kinds of IDS's alerts is \
> essential to correlation,but how can we acquire it? 3.Supposed that we have the \
> knowledge base,which kinds of method should we take to do correlation? welcome all \
> kinds of comments about correlation.
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic