Jimmy Zhou

Security Lab Seminar

Sept. 10, 2003

Title: "A Knowledge/Capability Attack Model and its Application in NIDS Alert Correlation"

Abstract: Computer attacks usually are modeled individually, i.e., each attack is reported as an IDS alert. However, real intrusion incidents are complicated: they are often comprised of a series of interdependent attack steps, of which each step is an attack that is usually modeled by conventional attack models. Besides, traditional IDS often generate a lot of false alerts, increasing the burden of system administrators and the uncertainty of deploying IDS. This work makes an effort to find a new way to model the complicated intrusion incidents, thereby reducing the number of IDS alerts, highlighting real attack paths, and eliminating many false alerts.