Attack Scenarios Construction and Automated Report Generation in SACHET Intrusion Detection System

Puneet Kaur, Roll Number: Y3111033, June 2005

Supervisors: Dr. Dheeraj Sanghi and Dr. Deepak Gupta

Increased connectivity and the use of the Internet have exposed the organizations to subversion, thereby necessitating the use of intrusion detection systems to protect information systems and communication networks from malicious attacks and unauthorized access. An Intrusion Detection System (IDS) is a security system that monitors computer systems and network traffic, analyzes that traffic to identify possible security breaches, and raises alerts. An IDS triggers thousands of alerts per day making it difficult for human users to analyze them and take appropriate actions. It is therefore important to reduce the redundancy of alerts, intelligently integrate and correlate them, and to present high level view of the detected security issues to the administrator.

In this thesis, we describe the design and implementation of attack scenarioconstruction and automated report generation modules for Sachet - a distributed, real-time, network-based IDS developed at lIT Kanpur. The aim of attack scenario construction is to identify logical relations among low level alerts, correlate them, and to provide the system administrator with a condensed view of reported security issues known as attack scenarios. The alerts are correlated on the assumption that most intrusions are not isolated but related as different stages of a series of attacks, with the early stages preparing for the latter ones. The module was successfully tested on a benchmark 2000 DARPA data set. Automated report generation takes the alerts produced by Sachet and generates reports which provide the system administrator with an overall picture of the status of the network under surveillance.

Download Thesis in PDF

Back to the list of MTech theses

Puneet Kaur can be reached at puneetk.iitk[AT]