CEP for Intrusion Detection

In this project we apply the Stanford Complex Event Processor (CEP) to the domain of intrusion detection. Some of the results that can be achieved by using context-based event correlation are:

High-level view: CEP provides high-level situation classification, event description, and deployment of new defensive actions driven from high level strategies.
Flexibility: CEP provides rapid reaction and interactive on-the-fly reconfiguration of strategies
Analysis: CEP provides drill down diagnostic analysis.
Consolidation: CEP can correlate of a diversity of independent inputs from network-level intrusion detectors to application-level sensors.
False Alarm Reduction: Alarms that are not confirmed by another detector or later event may be ignored.
Increased Detection Rate: CEP detects coordinated but separate attacks no matter how widely separated in time by capturing of causal relations between events. Unobserved intrusions may be detected by deduction from observed attacks. On-line event correlation of early stage probing alerts may detect ongoing attack patterns in early stages.

CEP provides on on-line overview of the state of the cyber battlefield. Patterns of events that may lead to a failure (e.g. a DNS server having slower and slower response time) are detected as they occur. CEP provides immediate notification of such conditions. Because the context of events is maintained, user driven drill-down from a notification message back to the root cause is possible. Automatic prioritizing of alerts and quick root cause analysis leads to reduced response time, higher up time and allows system managers to quickly respond to critical situations. CEP also allows automatic response based on pre-defined rules.

Publications

Perrochon, L., Jang, E., Luckham, D. C.: Enlisting Event Patterns for Cyber Battlefield Awareness. DARPA Information Survivability Conference & Exposition (DISCEX'00), 25-27 January 2000, Hilton Head, South Carolina. IEEE Computer Society Press.

Abstract
Cyber warfare consists to a large degree of reaction to activities happening in the information infrastructure. Better knowledge of the status of this infrastructure at any time allows more appropriate reactions. Contextbased event correlation can provide a more appropriate view of the cyber battlefield by providing users a view on the desired level of abstraction. We informally introduce context as the temporal and causal relations between events. Event correlation based on event patterns in a declarative language means we specify what to detect, instead of how to detect. We describe the Stanford University context-based event correlator that is able to process events on-line, as they are generated. It can be reconfigured dynamically while it is running. On the example of intrusion detection, we show how Complex Event Processing (CEP) increases detection rate, reduce false alarms, and detect large-scale attack patterns at an early stage.

Perrochon, L.: Real Time Event Based Analysis of Complex Systems. INFORMATIK 6/98, pp.31-36

Perrochon, L., Mann, W., Kasriel, S., Luckham, D. C.: Event Mining with Event Processing Networks. The Third Pacific-Asia Conference on Knowledge Discovery and Data Mining. April 26-28, 1999. Beijing, China. Lecture Notes in Artificial Intelligence 1574, pp. 474-478, Springer, ISBN 3-540-65866.

Reports, Presentations and Software

DARPA FY1999 Project Summary (HTML)
1999 Phoenix PI Meeting (PPT)
1999 CIDF Interoperation Experiment at TIC (PPT)
Sun binary for our part (Group C) of 1999 CIDF Semantic Interoperation Experiment (gnuzipped tar)

People

Prof. David C. Luckham, PI
Dr. Louis Perrochon
Jad Boutros
Eunhei Jang