Abstract—Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. This paper presents a general correlation model that includes a comprehensive set of components and a framework based on this model. A tool using the framework has been applied to a number of well-known intrusion detection data sets to identify how each component contributes to the overall goals of correlation. The results of these experiments show that the correlation components are effective in achieving alert reduction and abstraction. They also show that the effectiveness of a component depends heavily on the nature of the data set analyzed. Index Terms—Intrusion detection, alert correlation, alert reduction, correlation data sets. 1

Abstract. Computer security competitions and challenges are a way to foster innovation and educate students in a highly-motivating setting. In recent years, a number of different security competitions and challenges were carried out, each with different characteristics, configurations, and goals. From 2003 to 2007, we carried out a number of live security exercises involving dozens of universities from around the world. These exercises were designed as “traditional ” Capture The Flag competitions, where teams both attacked and defended a virtualized host, which provided several vulnerable services. In 2008 and 2009, we introduced two completely new types of competition: a security “treasure hunt ” and a botnet-inspired competition. These two competitions, to date, represent the largest live security exercises ever attempted and involved hundreds of students across the globe. In this paper, we describe these two new competition designs, the challenges overcome, and the lessons learned, with the goal of providing useful guidelines to other educators who want to pursue the organization of similar events. 1

With the steady increase in the number of attacks against networks and hosts, security systems such as intrusion detection systems are widely deployed into networks. In-trusion detection systems may flag large numbers of alerts, where false alerts are mixed with true ones. To understand the security threats and take appropriate actions, it is necessary to perform alert correlation. One class of alert correlation methods is the prerequisite and consequence based approach, where the prerequisite of an attack is the necessary condition to launch the attack, and the consequence of an attack is the possible outcome if the attack succeeds. Through matching the consequence of earlier attacks with the prerequisites of later ones, attack scenarios can be discovered. However, one limitation of these approaches is that the specification of prerequisites and consequences for different alert types usually is time-consuming and error-prone. To address this limitation, this thesis proposes a resource tree based method to facilitate the specification of prerequisites and consequences. Attacks can be viewed from the perspective of resources. Example resources include various net-work services and privileges. This thesis further organizes resources into trees, where the nodes in the trees are labelled with conditions (represented by predicates). To specify the prerequisite and consequence of an attack, it is required to look for the desirable resource trees related to the attack’s prerequisite and consequence, then traverse the trees to find the appropriate nodes, and finally select the suitable predicates to put into the prerequi-site and consequence. This approach is simple and less expert-dependent. The usability study and comprehensiveness study (with more than 3000 alert types) demonstrate the effectiveness of this approach. Correlation results with different datasets further show that prerequisites and consequences defined using our methodology can be effectively used for alert correlation.

In spite of the controversy surrounding the practice of using offensive computer security exercises in information assurance curricula, it holds significant educational value. An exercise and architecture for an asymmetric (offense-only) security project, nicknamed “Blunderdome”, has been deployed twice at the University of Tulsa: once to graduate students in a security engineering course, and once to high school students as part of a research internship program. This paper discusses the framework, the project, its educational value, and lessons learned for future deployments. Coverage is also given briefly to a summary of our position on the role of offensive exercises in security education.

Live security exercises are a powerful educational tool to motivate students to excel and foster research and development of novel security solutions. Our insight is to design a live security exercise to provide interesting datasets in a specific area of security research. In this paper we validated this insight, and we present the design of a novel kind of live security competition centered on the concept of Cyber Situational Awareness. The competition was carried out in December 2010, and involved 72 teams (900 students) spread across 16 countries, making it the largest educational live security exercise ever performed. We present both the innovative design of this competition and the novel dataset we collected. In addition, we define Cyber Situational Awareness metrics to characterize the toxicity and effectiveness of the attacks performed by the participants with respect to the missions carried out by the targets of the attack. 1.

Abstract not found