Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

Design and Implementation of Alert Analysis System using Correlation

연관성을 이용한 침입탐지 정보 분석 시스템의 설계 및 구현

  • 이수진 (한국과학기술원 전자전산학과) ;
  • 정병천 (한국과학기술원 전자전산학과) ;
  • 김희열 (한국과학기술원 전자전산학과) ;
  • 이윤호 (한국과학기술원 전자전산학과) ;
  • 윤현수 (한국과학기술원 전산학과) ;
  • 김도환 (국가보안기술연구소) ;
  • 이은영 (국가보안기술연구소) ;
  • 박응기 (국가보안기술연구소)
  • Published : 2004.10.01
Download PDF
⟨ Previous Next ⟩

Abstract

With the growing deployment of network and internet, the importance of security is also increased. But, recent intrusion detection systems which have an important position in security countermeasure can't provide proper analysis and effective defence mechanism. Instead, they have overwhelmed human operator by large volume of intrusion detection alerts. In this paper, we propose an efficient alert analysis system that can produce high level information by analyzing and processing the large volume of alerts and can detect large-scale attacks such as DDoS in early stage. And we have measured processing rate of each elementary module and carried out a scenario-based test in order to analyzing efficiency of our proposed system.

조직이 운영하는 네트워크의 규모가 방대해지고, 인터넷 사용이 활성화되면서 보안의 중요성도 함께 증가하였다. 그러나 최근 보안의 핵심으로 부각되고 있는 침입탐지 시스템들은 인터넷상의 공격들에 대한 적절한 분석이나 효율적인 대응책을 제공해 주기보다는, 대량의 침입탐지 정보를 생성시켜 관리자의 부담을 가중시키고 있다. 본 논문에서는 침입탐지 시스템이 생성하는 대량의 침입탐지 정보들간에 존재하는 연관성을 분석하여 대응에 필요한 고 수준의 정보를 실시간으로 생성해 냄으로써 관리 및 분석의 효율성을 증진시키고, 나아가서는 분산 서비스 거부 공격(DDoS) 같은 대규모의 공격까지도 조기에 탐지해 낼 수 있는 능력을 갖춘 침입탐지 정보 분석 시스템을 제안한다. 그리고 제안된 시스템의 성능 분석을 위해 각 모듈의 처리 효율을 측정하고 알려진 공격 시나리오 기반의 시험 평가를 실시한다.

Keywords

References

  1. Wenke Lee,. 'A Framework for Constructing Features and Models for Intrusion Detection System,' PhD thesis, Columbia University, June 1999
  2. L. Perrochon, E. Jang, and D.C. Luckham, 'Enlisting Event Patterns for Cyber Battlefield Awareness,' DARPA Information Survivability Conference & Exposition (DISCEX'00), Hilton Head, South Carolina, January 2000 https://doi.org/10.1109/DISCEX.2000.821538
  3. F. Cuppens, 'Correlation in an intrusion detection process,' Internet Security Communication Workshop(SECI02), Tunis- Tunisia, September 2002
  4. H. Debar and A. Wespi, 'Aggregation and Correlation of Intrusion-Detection Alerts,' Proceedings of 2001 International Workshop on Recent Advances in Intrusion Detection, Davis, CA, October 2001
  5. A. Valdes and K. Skinne, 'Probabilistic Alert Correlation,' Fourth International Workshop on the Recent Advances in Intrusion Detection, Davis, USA, October 2001
  6. Phillip A. Porras, et aI, 'A Mission impact-Based Approach to INFOSEC Alarm Correlation,' Fifth International Workshop on the Recent Advances in Intrusion Detection, Zurich, Switzerland, October 2002
  7. P. Porras and P. Neumann, 'Emerald: Event Monitoring Enabling Responses to Anomalous Live Disturbances,' National Security Conference, 1997
  8. E. Bloedorn, et aI, 'Data Mining for Network Intrusion Detection: How to Get Started,' MITRE Technical Report, August 2001
  9. F. Cuppens, 'Cooperative Intrusion Detection,' International Symposium 'Information Superiority: Tools for Crisis & Conflict-Management,' Paris, France, September, 2001
  10. F. Cuppens, 'Managing alerts in a multi intrusion detection environment,' 17th Annual Computer Security Applications Conference (ACSAC), New Orleans, December 2001 https://doi.org/10.1109/ACSAC.2001.991518
  11. Bugtraq. Security Focus Online. http://online. securityfocus.com/archive/1
  12. CERT Coordination Center. Cert/CC Advisories Carnegie Mellon, Software Engineering Institute. Online. http://www.cert.org/advisories/
  13. C. Kahn, P.A. Porras, S. Staniford-Chen, and B. Tung, 'A Common Intrusion Detection Framework,' http://www.gidos.org
  14. K. Kendall, 'A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,' Master's Thesis, Massachusetts Institute of Technology, June 1999
  15. W. Lee, R.A. Nimbalkar, K.K. Yee, S.B. Patil, P.H. Desai, T.T. Tran, and S,J. Stolfo, 'A Data Mining and CIDF-Based Approach for Detecting Novel and Distributed Intrusions,' Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000
  16. NMAP Network Mapping tool. http://www.insecure.org/nmap/