Klaus Julisch

Clustering intrusion detection alarms to support root cause analysis

It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusion detection alarms more efficiently. Central to this approach is the notion that each alarm occurs for a reason, which is referred to as the alarms root causes. This paper observes that a few dozens of rather persistent root causes generally account for over 90% of the alarms that an intrusion detection system triggers. Therefore, we argue that alarms should be handled by identifying and removing the most predominant and persistent root causes. To make this paradigm practicable, we propose a novel alarm-clustering method that supports the human analyst in identifying root causes. We present experiments with real-world intrusion detection alarms to show how alarm clustering helped us identify root causes. Moreover, we show that the alarm load decreases quite substantially if the identified root causes are eliminated so that they can no longer trigger alarms in the future.

Mining intrusion detection alarms for actionable knowledge

In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.

Detection of Intrusions and Malware, and Vulnerability Assessment

Obfuscated Code Detection.- Analyzing Memory Accesses in Obfuscated x86 Executables.- Hybrid Engine for Polymorphic Shellcode Detection.- Honeypots.- Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities.- A Pointillist Approach for Comparing Honeypots.- Vulnerability Assessment and Exploit Analysis.- Automatic Detection of Attacks on Cryptographic Protocols: A Case Study.- METAL - A Tool for Extracting Attack Manifestations.- Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone.- Anomaly Detection.- A Learning-Based Approach to the Detection of SQL Attacks.- Masquerade Detection via Customized Grammars.- A Prevention Model for Algorithmic Complexity Attacks.- Misuse Detection.- Detecting Malicious Code by Model Checking.- Improving the Efficiency of Misuse Detection.- Distributed Intrusion Detection and IDS Testing.- Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context.- TCPtransform: Property-Oriented TCP Traffic Transformation.

Mining alarm clusters to improve alarm handling efficiency

It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. As a matter of fact, IBM Researchs Zurich Research Laboratory has been asked by one of our service divisions to help them deal with this problem. This paper presents the results of our research, validated thanks to a large set of operational data. We show that alarms should be managed by identifying and resolving their root causes. Alarm clustering is introduced as a method that supports the discovery of root causes. The general alarm clustering problem is proved to be NP-complete, an approximation algorithm is proposed, and experiments are presented.

Security and Control in the Cloud

ABSTRACT Cloud computing is a new IT delivery paradigm that offers computing resources as on-demand services over the Internet. Like all forms of outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To address these security concerns, we show how todays generation of information security management systems (ISMSs), as specified in the ISO/IEC 27001:2005, must be extended to address the transfer of security controls into cloud environments. The resulting virtual ISMS is a standards-compliant management approach for developing a sound control environment while supporting the various modalities of cloud computing. This article addresses chief security and/or information officers of cloud client and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced to cloud providers. Providers of cloud services will learn what processes and controls they can offer in order to provide superior security that differentiates their offerings in the market.

Compliance by design - Bridging the chasm between auditors and IT architects

System and process auditors assure - from an information processing perspective - the correctness and integrity of the data that is aggregated in a companys financial statements. To do so, they assess whether a companys business processes and information systems process financial data correctly. The audit process is a complex endeavor that in practice has to rely on simplifying assumptions. These simplifying assumptions mainly result from the need to restrict the audit scope and to focus it on the major risks. This article describes a generalized audit process. According to our experience with this process, there is a risk that material deficiencies remain undiscovered when said simplifying assumptions are not satisfied. To address this risk of deficiencies, the article compiles thirteen control patterns, which - according to our experience - are particularly suited to help information systems satisfy the simplifying assumptions. As such, use of these proven control patterns makes information systems easier to audit and IT architects can use them to build systems that meet audit requirements by design. Additionally, the practices and advice offered in this interdisciplinary article help bridge the gap between the architects and auditors of information systems and show either role how to benefit from an understanding of the other roles terminology, techniques, and general work approach.