Abstract—Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. This paper presents a general correlation model that includes a comprehensive set of components and a framework based on this model. A tool using the framework has been applied to a number of well-known intrusion detection data sets to identify how each component contributes to the overall goals of correlation. The results of these experiments show that the correlation components are effective in achieving alert reduction and abstraction. They also show that the effectiveness of a component depends heavily on the nature of the data set analyzed. Index Terms—Intrusion detection, alert correlation, alert reduction, correlation data sets. 1

Worms are arguably the most serious security threat facing the Internet. Motivated to develop a detection technique that is both efficient and accurate enough to enable automatic containment of worm propagation at the network egress points, we propose a new technique for the rapid detection of worm propagation from an enterprise network. Implemented in software, it relies on the correlation of Domain Name System (DNS) queries with outgoing connections from an enterprise network. Significant improvement over existing scanning worm detection techniques includes: (1) the possibility to detect worm propagation after only a single infection attempt; (2) the capacity to detect zero-day worms; and (3) a low false positive rate. The precision of this first-mile detection technique supports the use of automated containment and suppression strategies to stop fast scanning worms before they leave the network boundary. Furthermore, we believe that this technique can be applied with the same precision to identify other forms of malicious behavior within an enterprise network such as: mass-mailing worms, network reconnaissance activity, and covert communications. 1

This paper describes the design, implementation and performance of a family of protocols for survivable, decentralized data storage. These protocols exploit storage-node versioning to efficiently achieve strong consistency semantics. These protocols allow erasure-codes to be used that achieve network and storage efficiency (and optionally data confidentiality in the face of server compromise). The protocol family is general in that its parameters accommodate a wide range of fault and timing assumptions, up to asynchrony and Byzantine faults of both storage-nodes and clients, with no changes to server implementation or client-server interface. Measurements of a prototype storage system using these protocols show that the protocol performs well under various system model assumptions, numbers of failures tolerated, and degrees of reader-writer concurrency.

Survivable storage systems mask faults. A protocol family shifts the decision of which types of faults from implementation time to data-item creation time. If desired, each data-item can be protected from different types and numbers of faults. This paper describes and evaluates a family of storage access protocols that exploit data versioning to efficiently provide consistency for erasure-coded data. This protocol family supports a wide range of fault models with no changes to the client-server interface or server implementations. Its members also shift overheads to clients. Readers only pay these overheads when they actually observe concurrency or failures. Measurements of a prototype block-store show the efficiency and scalability of protocol family members.