Re: RE: IDS Correlation

From: Àî»Ô (huili@sei.xjtu.edu.cn)
Date: 03/22/00 

Date: Wed, 22 Mar 2000 17:11:11 +0800
From: Àî»Ô <huili@sei.xjtu.edu.cn>
To: "Matthew F. Caldwell" <mattc@guarded.net>, "focus-ids@securityfocus.com" <focus-ids@securityfocus.com>

I think IDS correlation should be refer to the eveent correlation or threat analysis engine.It is not just simple association of same kinds of IDS alerts(of course association is basic),there should be more works than these.I think
the works needed:
 1.put duplicate or similar alerts from different IDS together and give a concise report
 2.put alerts of attacks from same source but different target altogether to get a complete attack scenario of hacker
 3.pick up some attacks will span a period of time but with some internel clues which could be detected through inference on the attack history.For example hacker often scan---->exploit-------->install back door tools---------->stolen key files----->erase log.Each step may be triger different IDS to give alerts,if we can put these alerts altogether,it will be clear about the attack.
        Have I leave something out about the task of correlation? welcome Re!3x

>I think you will find that the correlation systems on the market do a lot more than just Intrusion Detection Systems. The correlation tools have expanded to numerous devices including network devices, hosts, ids, firewalls, and even application security. The definition of correlation varies widely with each company. Some of the products in the field only do correlation however I think the market will be dominated by more threat analysis engines (explained later) not just correlation tools.
>
>The following is a listing of correlation techniques I have seen publicly.
>
>Simple Correlation
>The ability to see all events in a normalized format side by side in a single perspective.
>Example:
>
> Checkpoint FW1 X.X.X.X Z.Z.Z.Z accept
> Enterasys Dragon X.X.X.X Z.Z.Z.Z IISUNICODE
> ISS RealSecure X.X.X.X Z.Z.Z.Z Nimda_Worm
                                can you give me some explain about the xxxx.zzzz?3x


>
>Cross Organization Correlation
>Managed Service Providers and Intelligence Service Providers can do this, (or at least I hope so) you are trying to match similar events with a bit of fuzziness to help customer come together as group in combating a threat.
>
>Time by Event Correlation
>Statistics Table holds key information about Event counts and Time period over hosts. Picks up slow scans and that type of thing if you have lots of memory :>
>
>Rules or Pattern Correlation
>This is a manual process of configuring rules to act as a higher-level signature.
>IISUNICODE1 + IISUNICODE2 = NIMDA
>Grouping Correlation
>This type primarily called classes this would group all of your ids events into a similar fashion. For example: ids.detect.ddos might contain many DDOS signatures.
>
>Vulnerability Name and Event Correlation.
>Well ladies and gentlemen, this is where is starts to get messy. This is a form of correlation but I think it demands recognition as a higher level of analysis; I usually call this a type of threat analysis engine because effectively you are justifying threat or reducing the perceived threat in a useful manner. These are getting more and more complex at least here at GuardedNet. I would encourage too look more into a threat analysis tool than just a correlation tool.
>
>I will be at the TechSec 2002 http://www.techsec.com Conference in April 7-10 discussing these very topics.
>
>Matthew F. Caldwell, CISSP
>Chief Security Officer
>GuardedNet, Inc.
>http://www.guarded.net
>Home of neuSECURE Threat Management Software
>
>
> -----Original Message-----
> From: Àî»Ô [mailto:huili@sei.xjtu.edu.cn]
> Sent: Tue 3/21/2000 9:49 PM
> To: focus-ids@securityfocus.com
> Cc:
> Subject: IDS Correlation
>
>
>
> hi,all
> Recently I am focus on IDS correlation,but I am always thinking about the questions:
> 1.Can correlation definitely improve the performance such as precison?
> 2.Maybe a comprehensive knowledge base about all kinds of IDS's alerts is essential to correlation,but how can we acquire it?
> 3.Supposed that we have the knowledge base,which kinds of method should we take to do correlation?
> welcome all kinds of comments about correlation.
>
>

Relevant Pages

  • RE: Correlation software
    ... >analysis and triage of FW, IDS, IPS, AV, VA and network events using ... >scans and recent event history and attack source. ... >rules for your correlation engine for each new potential attack vector ... Find out by easily testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Ossim
    ... I'm an It engineering student co Politecnico di Milano. ... I'm studying ids correlation for my thesis ... the source code, nor a single doc about implementation. ... Test Your IDS ...
    (Focus-IDS)
  • Need help in correlation
    ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
    (microsoft.public.biztalk.general)
  • Need help in correlation
    ... E_status column from 'R' to 'C', i have to pick up ids from another ... based upon SourceID table(store procedure selects those id s from ... make only one receive shape as activity true and neither i can make ... ""you must specify at least one already-initialized correlation set ...
    (microsoft.public.biztalk.general)
  • RE: IDS Correlation
    ... Subject: IDS Correlation ... > We do this by centralizing logging and built a front-end to ... How about some front-end that can sort and aggregate on ... I think IDS is supposed to be able to figure this out on his own thusly a need for better spoof detection in IDS. ...
    (Focus-IDS)