Your search keyword '"Wenke Lee"' showing total 2 results

1. Discovering Novel Attack Strategies from Infosec Alerts.

Author

Jajodia, Sushil, Singhal, Anoop, Xinzhou Qin, and Wenke Lee

Abstract

Deploying a large number of information security (INFOSEC) systems can provide in-depth protection for systems and networks. However, the sheer number of security alerts output by security sensors can overwhelm security analysts and keep them from performing effective analysis and initiating timely response. Therefore, it is important to develop an advanced alert correlation system that can reduce alarm redundancy, intelligently correlate security alerts and detect attack strategies. Alert correlation is therefore a core component of a security management system. Correlating security alerts and discovering attack strategies are important and challenging tasks for security analysts. Recently, there have been several proposed techniques to analyze attack scenarios from security alerts. However, most of these approaches depend on a priori and hard-coded domain knowledge that lead to their limited capabilities of detecting new attack strategies. In addition, these approaches focus more on the aggregation and analysis of raw security alerts, and build basic or low-level attack scenarios. This paper focuses on discovering novel attack strategies via analysis of security alerts. Our integrated alert correlation system helps security administrator aggregate redundant alerts, filter out unrelated attacks, correlate security alerts and analyze attack scenarios. Our integrated correlation system consists of three complementary correlation mechanisms based on two hypotheses of attack step relationship. The first hypothesis is that some attack steps are directly related because an earlier attack enables or positively affects the later one. We have developed a probabilistic-based correlation engine that incorporates domain knowledge to correlate alerts with direct causal relationship. The second hypothesis is that some related attack steps, even though they do not have obvious or direct (or known) relationship in terms of security and performance measures, still exhibit statistical and temporal patterns. For this category of relationship, we have developed two correlation engines to discover attack transition patterns based on statistical analysis and temporal pattern analysis, respectively. Based on the correlation results of these three correlation engines, we construct attack scenarios and conduct attack path analysis. The security analysts are presented with aggregated information on attack strategies from the integrated correlation system. We evaluate our approaches using DARPA's Grand Challenge Problem (GCP) data sets. Our evaluation shows that our approach can effectively discover novel attack strategies, provide a quantitative analysis of attack scenarios and identify attack plans. [ABSTRACT FROM AUTHOR]

Published

2007

2. DSO: Dependable Signing Overlay.

Author

Jianying Zhou, Moti Yung, Feng Bao, Guofei Gu, Fogla, Prahlad, Wenke Lee, and Blough, Douglas

Abstract

Dependable digital signing service requires both high fault-tolerance and high intrusion-tolerance. While providing high fault-tolerance, existing approaches do not satisfy the high intrusion-tolerance requirement in the face of availability, confidentiality and integrity attacks. In this paper, we propose Dependable Signing Overlay (DSO), a novel server architecture that can provide high intrusion-tolerance as well as high fault-tolerance. The key idea is: replicate the key shares and make the signing servers anonymous to clients (and thus also to the would-be attackers), in addition to using threshold signing. DSO utilizes structured P2P overlay routing techniques to provide timely services to legitimate clients. DSO is intended to be a scalable infrastructure for dependable digital signing service. This paper presents the architecture and protocols of DSO, and the analytical models for reliability and security analysis. We show that, compared with existing techniques, DSO has much better intrusion-tolerance under availability, confidentiality and integrity attacks. Keywords: intrusion-tolerance, fault-tolerance, P2P overlay, dependable, digital signing service. [ABSTRACT FROM AUTHOR]

Published

2006