Abstract:
Intrusion Detection System (IDS) has become an important component in
network security
infrastructure. Currently, many IDSs are capable of detecting nea
rly all of the suspicious
activities that may be launched at the information system under sur
veillance.
Unfortunately, due to the huge volume of alerts produced by these IDSs, it
is too
complicated for system administrators (human users) to analyze t
he output data for
intrusion information. Moreover, the elementary in nature of these aler
ts makes it difficult
to understand the attack scenarios. Therefore, there is a need to proce
ss the output data of
IDS sensors before submitting it to system administrators.
This thesis focuses on building a method of constructing high level and suc
cinct security
reports by correlating raw alerts produced by IDS sensors. There a
re many proposals of
alert correlation available currently, the methodology of this thesi
s is based on
precondition and postcondition of attacks. A system based on this framework
is also
implemented which gives two types of report: attack graph and table.
To build an
informative and consistent knowledge base, this thesis considers the use
of action language
to model attack actions. The system experiment using DARPA datas
et 2000 is also
discussed.