The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Peng Ning - NC State

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Effective and Efficient Intrusion Analysis

Oct 20, 2004

Abstract

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. In this talk, I will present a series of techniques aimed at addressing this problem. These efforts start with an approach to constructing attack scenarios by correlating alerts on the basis of {em prerequisites} and {em consequences} of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, this method correlates alerts by (partially) matching the consequences of some prior alerts with the prerequisites of some later ones. In addition, I will present a method to automatically learn attack strategies from correlated alerts and to measure the similarity between sequences of attacks based on their strategies. Finally, I will talk about a recent approach we developed to hypothesize and reason about attacks potentially missed by IDSs.



Related website:
http://discovery.csc.ncsu.edu/Projects/AlertCorrelation


About the Speaker

Peng Ning is currently an assistant professor of Computer Science in the College of Engineering at North Carolina State University. He received his PhD degree in Information Technology from George Mason University in 2001. Prior to his PhD study, he received an ME degree in Communication and Electronic Systems in 1997, and a BS degree in Information Science in 1994, both from University of Science and Technology of China. Peng Ning\'s research interests are mainly in computer and network security. His recent work is mostly in intrusion detection and security in ad-hoc and sensor networks. Peng Ning\'s research has been supported by the National Science Foundation (NSF), the Army Research Office (ARO), the Advanced Research and Development Activity (ARDA), and the NCSU/Duke Center for Advanced Computing and Communication (CACC). Peng Ning is a founding member of the NCSU Cyber Defense Laboratory and the NCSU/Duke CACC. He is also a member of the ACM, the ACM SIGSAC, the IEEE, and the IEEE Computer Society.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!