Correlating Alerts with Vulnerability Information for an Intrusion Path Trace System

• Main Authors: Li-Ru Chen, 陳俐如
• Other Authors: Bo-Chao Cheng
• Format: Others
• Language: zh-TW
• Published: 2008
• Online Access: http://ndltd.ncl.edu.tw/handle/54582630011948247086

碩士 === 國立中正大學 === 通訊工程研究所 === 96 === Network hardening reduces successful network intrusion. One approach of network hardening is to remove the vulnerabilities of the systems and services in the Internet. Vulnerability scanning provides isolated vulnerabilities without correlated network topology information, and that’s useless for network hardening. Often, many organizations use the Intrusion Detection System (IDS) to monitor network traffic, to detect intrusions, and to recognize victims. However, they have problems in figuring out the critical segments in their network for hardening, since the flooding information of alerts and the false positive from IDS. There’s no correlation between the intrusions and overall vulnerabilities with network topology information. To understand overall vulnerabilities to network intrusion, one must consider attacks not only in isolation, but also in combination. We propose to trace intrusion path by correlating IDS alerts with overall vulnerabilities information. Match the attack graph containing overall vulnerabilities and network information with the evidence graph analyzing alerts to trace and build the intrusion path. The intrusion path finds out the key points in the intrusion for hardening, which provides the correlation between the intrusion and overall vulnerabilities.