Abstracting and Correlating Heterogeneous Events to Detect Complex Scenarios by Sorot Panichprecha Bachelor of Science (Thammasat University, Thailand) – 1999 Master of Information Technology (QUT) – 2004 Thesis submitted in accordance with the regulations for Degree of Doctor of Philosophy Information Security Institute Faculty of Science and Technology Queensland University of Technology March 2009 Keywords Intrusion detection, signature-based intrusion detection, event correlation, event abstraction, time uncertainty, multi-step attack detection, unification i ii Abstract The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools The second part of the research investigates the use of unification for multi-step attack scenario specification and detection Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model The third part of the research looks into the solution to address time uncertainty Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts Issues involving time uncertainty have been largely neglected by intrusion detection research The system presented in this reiii search introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression An off-line IDS prototype for detecting multi-step attacks has been implemented The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift These features allow us to demonstrate the application and the advantages of the contributions of this research All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty iv v vi Contents Keywords i Abstract iii Table of Contents vii List of Figures xiii List of Tables xv Declaration xvii Previously Published Material xix Acknowledgements xxi Introduction 1.1 Motivation 1.2 Research Outcomes 1.3 Organisation of the Thesis Intrusion Detection Systems 2.1 Intrusion Detection Systems: Architecture, Classifications, and Requirements 2.1.1 Architecture of Intrusion Detection Systems 2.1.2 Intrusion Detection System Classifications 10 2.1.3 Intrusion Detection Systems: Requirements and Evaluation Methodologies 13 2.2 Multi-Step Attack Detection Techniques 15 2.2.1 State-based Technique 15 vii 2.2.2 Event-based Technique 17 2.2.3 Evolution of Multi-Step Attack Detection Techniques 19 2.3 Event Representation and Abstraction 20 2.3.1 Canonical Event Representation 21 2.3.2 Event Abstraction 24 2.4 Time Uncertainty 26 2.4.1 Clock Synchronisation Mechanisms 27 2.4.2 Clock Skew and Clock Drift 28 2.5 Research Challenges 29 2.5.1 Canonical Event Representation 29 2.5.2 Comprehensive Multi-Level Event Abstraction 29 2.5.3 Multi-Step Attack Specification and Detection Mechanisms 30 2.5.4 Treatment of Time Uncertainty 31 2.6 Summary 31 Abstract Event Model, and Scenario Specification and Detection 33 3.1 Motivating Example: Failed Administrator Login Attempts 34 3.2 The Abstract Event System Architecture 36 3.2.1 Fundamental Concepts 37 3.2.2 Components of the Abstract Event System Architecture 38 3.3 Sensor Events 41 3.3.1 Data Source Schema 41 3.3.2 Sensor Event Tree 44 3.4 The Abstract Event Model 45 3.4.1 Derived Events 46 3.4.2 Abstract Events 47 3.4.3 Modelling Failed Administrator Login Attempts 50 3.4.4 Discussion 52 3.5 Time Uncertainty 53 3.5.1 Determining Clock Skew 54 3.5.2 Constant Skew Compensation 55 3.5.3 Clock Drift Modelling with Linear Regression 56 3.5.4 Discussion 58 3.6 Scenario Specification and Detection 59 3.6.1 Unification Background 60 3.6.2 Unification in Scenario Detection 61 viii D.2 Signatures for Attacks in the SOTM 34 171 self step2 outbound_ssh source_address == self step1 backdoor destinatio n_ad dre ss after ( self step2 outbound_ssh , self step1 backdoor , ‘00:10:00 ’ ) 172 Appendix D Attack Signatures used in the Evaluation Bibliography [1] Jonathon Abbott, Jim Bell, Andrew Clark, Olivier De Vel, and George Mohay Automated Recognition of Event Scenarios for Digital Forensics In Proceedings of the 21st Annual ACM Symposium on Applied Computing, Dijon, France, 2006 [2] J Abela and T Debeaupuis Universal Format for Logger Messages http: //www.hsc.fr/gulp/, May 1999 [3] Jon Allen open - Perl 5.10.0 Documentation http://perldoc.perl.org/ functions/open.html [4] Magnus Almgren, Ulf Lindqvist, and Erland Jonsson A multi-sensor model to improve automated attack detection In Proceedings of the 11th Recent Advances in Intrusion Detection (RAID), volume 5230 of Lecture Notes in Computer Science, pages 291–310, Cambridge, MA, USA, September 2008 Springer [5] James P Anderson Computer Security Threat Monitoring and Surveillance, April 1980 [6] Pascal Andre and D’Arcy J.M Cain PyGreSQL – PostgreSQL module for Python http://www.pygresql.org/ access in February 2007 [7] Andrew Scan of the Month 34-Solution scans/scan34/sols/3/sotm, May 2005 http://www.honeynet.org/ [8] Australian Computer Emergency Response Team (AUSCERT) 2006 Australian Computer Crime and Security Survey, May 2006 [9] Stefan Axelsson A Preliminary Attempt to Apply Detection and Estimation Theory to Intrusion Detection Technical report, Department of Computer Engineering, Chalmers University of Technology, 2000 173 174 BIBLIOGRAPHY [10] Stefan Axelsson The Base-Rate Fallacy and the Difficulty of Intrusion Detection ACM Transactions on Information and System Security (TISSEC), 3(3):186–205, 2000 [11] Jai Sundar Balasubramaniyan, David Garcia-Fernandez, Jose Omar andIsacoff, Spafford H Eugene, and Diego Zamboni An Architecture for Intrusion Detection using Autonomous Agents In Proceedings of the 14th Anual Computer Security Applications Conference, pages 13–24, December 1998 [12] Nino Bilic and Microsoft Corporation System Event Viewer Tips http: //technet.microsoft.com/en-us/library/aa996105.aspx [13] Matt Bishop A Standard Audit Trail Format In Proceedings of the 18th National Information Systems Security Conference, pages 136–145, October 1995 [14] Finn Bock, Barry Warsaw, Jim Hugunin, and the Jython DevelopmentTeam The Jython Project http://www.jython.org, March 2007 [15] Chris Boyd and Pete Frorster Time and data issues in forensic computing–a case study Journal of Digital Investigation, 1(1):18–23, February 2004 [16] Florian Buchholz and Brett Tjaden A brief study of times In Proceedings of the 7th Annual Digital Forensic Research Workshop (DFRWS), volume 4, pages 31–42, September 2007 [17] Bureau International des Poids et Mesures Unit of time (second) http: //www.bipm.org/en/si/si_brochure/chapter2/2-1/second.html, 1967 [18] Kevin Chen, Andrew Clark, Oliver De Vel, and Mohay George ECF - Event Correlation For Forensics In Proceedings of the 1st Australian Computer, Network and InformationForensics Conference School of Computer and Information Science, Edith Cowan University,Western Australia, November 2003 [19] Steven Cheung, Ulf Lindqvist, and Martin W Fong Modeling Multistep Cyber Attacks for Scenario Recognition In DARPA Information Survivability Conference and Exposition (DISCEX), pages 284–292, Washington, D.C., 2003 BIBLIOGRAPHY 175 [20] Steve Christey and Robert A Martin Vulnerability Type Distributions in CVE http://cwe.mitre.org/documents/vuln-trends.html accessed on Jul 2007, May 2007 [21] Anton Chuvakin Scan of the Month 34 http://www.honeynet.org/scans/ scan34/, May 2005 [22] Anton Chuvakin Scan of the Month Challenge 34–Official Solution http:// www.honeynet.org/scans/scan34/sols/sotm34-anton.html, May 2005 [23] George Colouris, Jean Dollimore, and Tim Kindberg Distributed Systems: Concepts and Design, chapter 10: Time and Global States, pages 385–416 Addison-Wesley Publishers Limited, 2001 [24] Mark Cosbie and Eugene H Spafford Active Defense of a Computer System Using Autonomous Agents Technical Report CSD-TR-95-008, Department of Computer Sciences, Purdue University, 1995 [25] db4objects Inc The db4object database engine and API http://www db40.com [26] H Debar, D Curry, and B Feinstein The Intrusion Detection Message Exchange Format (IDMEF) Request for Comments (RFC): 4765, March 2007 [27] Hervé Debar, Marc Dacier, and Andreas Wespi Towards a Taxonomy of Intrusion-Detection Systems Computer Networks, 31:805–822, 1999 [28] Hervé Debar, Marc Dacier, Andreas Wespi, and Stefan Lampart An Experimentation Workbench for Intrusion Detection Systems Technical Report IBM Research Report RZ2998, IBM Zurich Research Laboratory, 1998 [29] Hervé Debar and Benjamin Morin Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems In Proceedings of the 5th Recent Advances in Intrusion Detection (RAID), volume 2516 of Lecture Notes in Computer Science, pages 177–198, Zurich, Switzerland, October 2002 Springer [30] Hervé Debar and Andreas Wespi Aggregation and correlation of intrusiondetection alerts In Proceedings of the 4th Recent Advances in Intrusion 176 BIBLIOGRAPHY Detection (RAID), volume 2212 of Lecture Notes in Computer Science, pages 85–103, Davis, CA, USA, October 2001 Springer [31] Laurent Destailleur AWStats - Free log file analyzer for advanced statistics http://awstats.sourceforge.net/ accessed on February 2008 [32] Robert Durst, Terrence Champion, Brian Witten, Eric Miller, and Luigi Spagnuolo Testing and Evaluating Computer Intrusion Detection Systems Communication of the ACM, 42(7):53–61, July 1999 [33] S.T Eckmann, G Vigna, and R.A Kemmerer STATL: An Attack Language for State-based Intrusion Detection In Proceedings of the ACM Workshop on Intrusion Detection Systems, Athens, Greece, November 2000 [34] S.T Eckmann, G Vigna, and R.A Kemmerer STATL: An Attack Language for State-based Intrusion Detection Journal of Computer Security, 10(1):71– 104, 2002 [35] J E Jr Gaffney and J W Ulvila Evaluation of Intrusion Detectors: A Decision Theory Approach In Proceedings of the IEEE Symposium on Security and Privacy, pages 50–61, Oakland, CA, May 2001 [36] A K Ghosh, Schwatzbard A., and M Shatz Learning Program Behavior Profiles for Intrusion Detection In Proceedings of the 1st USENIX Workshop on Intrusion Detection, Santa Clara, California, USA., April 1999 [37] Rajeev Gopalakrishna and Eugene H Spafford A framework for distributed intrusion detection using interest driven coopeating agents In Proceedings of the 4th Recent Advances in Intrusion Detection (RAID), volume 2212 of Lecture Notes in Computer Science, Davis, CA, USA, October 2001 Springer [38] Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee, and Boris Skorić Measuring Intrusion Detection Capability: an Information-Theoretic Approach In Proceedings of the ACM Symposium on Information, computer and communications security (ASIACCS), pages 90–101, Taipei, Taiwan, 2006 [39] Mike Hall and Kevin Wiley Capacity Verification for High Speed Network Intrusion Detection Systems In Proceedings of the 5th Recent Advances in Intrusion Detection (RAID), volume 2516 of Lecture Notes in Computer Science, pages 239–251, Zurich, Switzerland, October 2002 Springer BIBLIOGRAPHY 177 [40] L.T Heberlein, G V Dias, K N Levitt, B Mukherjee, J Wood, and D Wolber A Network Security Monitor In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, pages 296– 304, Oakland, CA, 1990 IEEE [41] iDefense Labs AWStats Remote Command Execution Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/ display.php?id=185, January 2005 [42] Koral Ilgun USTAT: A Real-time Intrusion Detection System for UNIX In Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA, May 1993 [43] Kenneth L Ingham and Hajime Inoue Comparing Anomaly Detection Techniques for HTTP In Proceedings of the 10th Recent Advances in Intrusion Detection (RAID), number 4637 in Lecture Notes in Computer Science, pages 42–62, Gold Coast, Australia, September 2007 [44] Kenneth L Ingham, Anil Somyaji, John Burge, and Stephanie Forrest Learning DFA representations of HTTP for protecting web applications Computer Networks, 51(5):1239–1255, April 2007 [45] Kenneth LeRoy Ingham Anomaly Detection for HTTP Intrusion Detection: Algorithm Comparisions and the Effect of Generalization on Accuracy PhD thesis, Computer Science, The University of New Mexico, Albuquerque, New mexico, May 2007 [46] International Standard Organization (ISO), and International Electrotechnical Commission (IEC) Information technology – Open Systems Interconnection – Basic Reference Model: The Basic model (ISO/IEC 7498-1) ISO Standard, 1994 [47] International Standard Organization (ISO), and International Electrotechnical Commission (IEC) Information technology – Security techniques – IT intrusion detection framework (ISO/IEC TR 15974-2002), 2002 [48] ISS X-Force Snort fragmented RPC preprocessor buffer overflow http: //xforce.iss.net/xforce/xfdb/10956 accessed in August 2008, March 2003 178 BIBLIOGRAPHY [49] Van Jacobson, Craig Leres, Steven McCanne, and all of the Lawrence Berkeley National Laboratory Manpage of PCAP, June 2007 [50] Somesh Jha, Oleg Sheyner, and Jeannette M Wing Two formal analyses of attack graphs In Proceedings of the 15th IEEE Computer Security Foundations Worksthop, pages 49–63 IEEE, June 2002 [51] Christine Kronberg Analysis of the logfiles given in SotM34 http://www honeynet.org/scans/scan34/sols/2/proc.pdf, May 2005 [52] Christopher Kruegel and Thomas Toth Using Decision Trees to Improve Signature-Based Intrusion Detection In Proceedings of the 6th Recent Advances in Intrusion Detection (RAID), volume 2820 of Lecture Notes in Computer Science, pages 173–191, Pittsburgh, PA, USA, September 2003 Springer [53] Christopher Kruegel and Giovanni Vigna Anomaly Detection of Web-Based Attacks In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 251–261 ACM Press, 2003 [54] Josué Kuri, Gonzalo Navarro, Ludovic Mé, and Laurent Heye A Pattern Matching Based Filter for Audit Reduction and Fast Detection of Potential Intrusions In Proceedings of the 3rd Recent Advances in Intrusion Detection (RAID), volume 1907 of Lecture Notes in Computer Science, pages 17–27, Toulouse, France, October 2000 Springer [55] W Lee, S J Stolfo, and K Mok Mining in a Data-flow Environment: Experience in Network Intrusion Detection In Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, San Diego, California, USA, August 1999 [56] Jia-Ling Lin, X Sean Wang, and Sushil Jajodia Abstraction-Based Misuse detection: High-Level Specifications and Adaptable Strategies In The 11th Computer Security Foundations Workshop, pages 190–201, Rockport, MA, June 1998 [57] Lincoln Laboratory Massachusetts Institute Of Technology 2000 DARPA Intrusion Detection Scenario Specific Data Sets http://www.ll.mit.edu/ mission/communications/ist/corpora/ideval/data/2000data.html, 2000 BIBLIOGRAPHY 179 [58] Lincoln Laboratory Massachusetts Institute Of Technology MIT Lincoln Laboratory - DARPA Intrusion Detection Evaluation http://www.ll.mit edu/mission/communications/ist/corpora/ideval/index.html, 2001 [59] Ulf Lindqvist and Phillip A Porras Detecting Computer and Network Misuse through the Production-Based Expert System Toolset (P-BEST) In Proceedings of the IEEE Symposium on Security and Privacy, pages 146– 161, Oakland, California, May 1999 IEEE Computer Society Press, Los Alamitos, California [60] Richard Lippmann, Joshua W Haines, David J Fried, Jonathan Korba, and Kumar Das Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation In Proceedings of the 3rd Recent Advances in Intrusion Detection (RAID), volume 1907 of Lecture Notes in Computer Science, pages 162–182, Toulouse, France, October 2000 Springer [61] Richard Lippmann, Joshua W Haines, David J Fried, Jonathan Korba, and Kumar Das The 1999 DARPA Off-Line Intrusion Detection Evaluation Draft of paper submitted to Computer Networks, 2000 [62] Richard P Lippmann, David J Fried, Isaac Graf, Joshua W Haines, Kristopher R Kendall, David McClung, Dan Weber, Seth E Webster, Dan Wyschogrod, Robert K Cunningham, and Marc A Zissman Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation In Proceedings DARPA Information Survivability Conference and exposition (DISCEX), volume 2, pages 12–26 IEEE Computer Society Press, Los Alamitos, California, 2000 [63] A Luotonen Logging Control In W3C httpd http://www.w3.org/Daemon/ user/Config/Logging.html, July 1995 [64] Lorenzi Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, and John C Mitchell A Layered Architecture for Detecting Malicious Behaviors In Proceedings of the 11th Recent Advances in Intrusion Detection (RAID), volume 5230 of Lecture Notes in Computer Science, pages 78–97, Cambridge, MA, USA, September 2008 Springer [65] John McHugh Testing Intrusion Detection Systems: a Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by 180 BIBLIOGRAPHY Lincoln Laboratory ACM Transactions on Information and System Security (TISSEC), 3(4):262–294, 2000 [66] John McHugh The 1998 Lincoln Laboratory IDS Evaluation A Critique In Proceedings of the 3rd Recent Advances in Intrusion Detection (RAID), volume 1907 of Lecture Notes in Computer Science, pages 145–161, Toulouse, France, October 2000 Springer [67] John McHugh Intrusion and Intrusion Detection International Journal of Information Security, 1(1):14–35, August 2001 [68] Peter Mell, Vincent Hu, Richard Lippmann, Josh Haines, and Marc Zissman An Overview of Issues in Testing Intrusion Detection Systems Technical report, Computer Security Resource Center (CSRC), National Institute of Standards and Technology (NIST), June 2003 [69] David L Mills A Brief History of NTP Time: Memoirs of an Internet Timekeeper ACM SIGCOMM Computer Communication Review, 33(2):9– 21, April 2003 [70] Douglas C Montgomery, Elizabeth A Peck, and G Geoffrey Vining Introduction to Linear Regression Analysis John Wiley & Sons, Inc., Third Edition edition, 2001 [71] D Moran and W M Tyson DERBI: Diagnosis, Explanation and Recovery from computer Break-Ins http://www.ai.sri.com/~derbi, September 1999 [72] Benjamin Morin and Hervé Debar Corelation of intrusion symptoms: An application of chronicles In Proceedings of the 6th Recent Advances in Intrusion Detection (RAID), volume 2820 of Lecture Notes in Computer Science, pages 94–112, Pittsburgh, PA, USA, September 2003 Springer [73] Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé M2d2: A formal data model for ids alert correlation In Proceedings of the 5th Recent Advances in Intrusion Detection (RAID), volume 2516 of Lecture Notes in Computer Science, pages 115–137, Zurich, Switzerland, October 2002 Springer BIBLIOGRAPHY 181 [74] Peng Ning, Sushil Jajodia, and X Sean Wang Design and Implementation of a Decentralized Prototype System for Detecting Distributed Attacks Computer Communications, Special Issue on Intrusion Detection Systems, 25(15):1374–1391, September 2002 [75] Peng Ning, Sushil Jajodia, and Xiaoyang Sean Wang Abstraction-Based Intrusion Detection in Distributed Environments ACM Transactions on Information and System Security (TISSEC), 4(4):407–452, November 2001 [76] Sorot Panichprecha, Jacob Zimmermann, George Mohay, and Andrew Clark An Event Abstraction Model for Signature-Based Intrusion Detection Systems In Proceedings of the 1st International Conference on Information Security and Computer Forensics (ISCF), pages 151–162, Chennai, India, December 2006 Allied Publishers Pvt Ltd [77] Vern Paxson Bro: A System for Detecting Network Intruders in Real-Time In Proceedings of the 7th USENIX Security Symposium, pages 31–52, San Antonio, Texas, 1998 [78] Cynthia Phillips and Laura Painton Swiler A Graph-based System for Network-Vulnerability Analysis In Proceedings of the 1998 workshop on New Security Paradigms (NSPW’98), pages 71–79, Charlottesville, Virginia, United States, 1998 ACM [79] Sandro Poppi Snort IDMEF Plugin http://sourceforge.net/projects/ snort-idmef/ access in July 2008 [80] Phillip A Porras and Richard A Kemmerer Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach In Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, December 1992 [81] Phillip A Porras and Peter G Neumann EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances In Proceedings of the 10th National Information Systems Security Conference, pages 353–365, baltimore, Maryland, October 7–10 1997 National Institute of Standards and Technology/National Computer Security Center 182 BIBLIOGRAPHY [82] Phillip A Porras and Alfonso Valdes Live Traffic Analysis of TCP/IP Gateways In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, 1998 [83] PostgreSQL Global Development Group PostgreSQL: The world’s most advanced open source database http://www.postgresql.org/ access in February 2008 [84] N Puketza, M Chung, R A Olsson, and B Mukherjee A Software Platform for Testing Intrusion Detection Sytems IEEE Software, 14(5):43–51, September 1997 [85] N J Puketza, K Zhang, M Chung, B Mukherjee, and R A Olsson A Methodology for Testing Intrusion Detection Systems IEEE Transactions on Software Engineering, 22(10):719–729, October 1996 [86] Python Software Foundation Python Programming Language http:// www.python.org [87] Reliable Software Group at University of California Santa Barbara STAT Source Code http://www.cs.ucsb.edu/\~rsg/STAT accessed on 26 April 2004 [88] Matt Richard, Michael Leigh, Andy Magnusson, Syd Seale, and Kelly Standridge Project Honeynet Scan of the Month 34 http://www.honeynet org/scans/scan34/sols/1/index.html, May 2005 [89] J A Robinson A Machine-Oriented Logic Based on the Resolution Principle Journal of the Association for Computing Machinery, 12(1):23–41, January 1965 [90] Martin Roesch Snort: Lightweight Intrusion Detection for Networks In Proceedings of the 13th Conference on Systems Administration (LISA), pages 229–238, November 1999 [91] Steve Romig Correlating log file entries November 2000 USENIX login, 25(7):38–44, [92] Bradley Schatz, George Mohay, and Andrew Clark A Correlation Method for Establishing Provenance of Times in Digital Evidence In Proceedings BIBLIOGRAPHY 183 of the 6th Annual Digital Forensic Research Workshop (DFRWS), volume 3, pages 98–107, 2006 [93] SecurityFocus and JeiAr phpBB Multiple Input Validation Vulnerabilities, Bugtraq ID: 9942 http://www.securityfocus.com/bid/9942, March 2004 [94] R Sekar, A Gupta, J Frullo, T Shanbhag, A Tiwari, H Yang, and S Zhou Specification-based anomaly detection: a new approach for detecting network intrusions In CCS ’02: Proceedings of the 9th ACM conference on Computer and Communications Security, pages 265–274, New York, NY, USA, 2002 ACM Press [95] R Sekar and P Uppuluri Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications In Proceedings of the 8th Usenix Security Symposium, August 1999 [96] Greg Shipley Intrusion Detection, Take Two http://www networkcomputing.com/1023/1023f1.html, November 1999 [97] Greg Shipley ISS RealSecure Pushes Past Newer IDS Players http://www networkcomputing.com/1010/1010r1.html, May 1999 [98] Greg Shipley and Patrick Mueller Dragon Claws its Way to the Top http: //www.networkcomputing.com/1217/1217f2.html, August 2001 [99] Salvatore J Stolfo, Wei Fan, Wenke Lee, Andreas Prodromidis, and Philip K Chan Cost-based Modeling for Fraud and Intrusion Detection: Results from the JAM Project In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), volume 2, pages 130–144 IEEE, 2000 [100] Steven Sturges Understanding Standard Alert Output http://www.snort org/docs/snort_htmanuals/htmanual_282/node8.html accessed on June 2008, May 2008 [101] SUN Microsystems syslogd - log system messages: Man page SunOS 5.10, August 2004 [102] The Apache Software Foundation Log Files - Apache HTTP Server Version 1.3 http://httpd.apache.org/docs/1.3/logs.html 184 BIBLIOGRAPHY [103] The Honeynet Project Scan of the Month http://www.honeynet.org/ scans/ [104] The Honeynet Project The Honeynet Project http://www.honeynet.org [105] The phpBB Development Team phpBB Homepage http://www.phpbb com/, February 2008 [106] U.S Naval Observatory Universal Time http://aa.usno.navy.mil/faq/ docs/UT.php, September 2007 [107] Matthias Vallentin, Robin Sommer, Jason Lee, Craig Leres, Vern Paxson, and Brian Tierney The nids cluster: Scalable, stateful network intrusion detection on commodity hardware In Proceedings of the 10th Recent Advances in Intrusion Detection (RAID), volume 4637 of Lecture Notes in Computer Science, pages 107–126, Gold Coast, Australia, September 2007 Springer [108] Yoann Vandoorselaere and The Prelude Development Team Prelude-IDS the Hybrid IDS framework http://www.prelude-ids.org, March 2007 [109] G Vigna, F Valeur, and R A Kemmerer Designing and Implementing a Family of Intrusion Detection Systems In Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), Helsinki, Finland, September 2003 [110] Giovanni Vigna and Richard A Kemmerer NetSTAT: A Network-based Intrusion Detection Approach In Proceedings of the 14th Annual Computer Security Application Conference, Scottsdale, Arizona, December 1998 [111] Ke Wang and Salvatore J Stolfo Anomalous Payload-Based Network Intrusion Detection In Proceedings of the 7th International Symposium in Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, pages 203–222, September 2004 [112] Greg Wettstein, Stephen Tweedie, Juha Virtanen, Shane Alderton, and Martin Schulze syslog Man page: Linux Programmer’s Manual [113] Jiahai Yang, Peng Ning, X Sean Wang, and Sushil Jajodia CARDS: A Distributed System for Detecting Coordinated Attacks In Proceedings of BIBLIOGRAPHY 185 the 16th Annual Working Conference on Information Security (IFIP TC11), pages 171–180, August 2000 ... thank Mark Branagan and Andrew Marrington for helping me learning Australian culture and politics I would like to thank my coffee buddies, Mark Branagan, Andrew Marrington, and James Mackie xxi... concrete and abstract events A signature using abstract events provides the ability to specify generic signatures which leads to a less number of signatures to be maintained For instance, to monitor... environment with heterogeneous components to avoid writing signatures specific to one system and to add flexibility to the IDS Multi-step attack specification and multi-step attack detection engine