Louis Perrochon, Eunhei Jang, Stephane Kasriel, David C. Luckham. Computer Systems Laboratory, Stanford University, Stanford, CA 94305,

DARPA Information Survivability Conference & Exposition (DISCEX'00), 25-27 January 2000, Hilton Head, South Carolina. IEEE Computer Society Press.

Keywords: Complex event processing, correlation, root cause analysis, information assurance, intrusion detection, network operations and management.

Language: English.

Abstract:

Cyber warfare consists to a large degree of reaction to activities happening in the information infrastructure. Better knowledge of the status of this infrastructure at any time allows more appropriate reactions. Context-based event correlation can provide a more appropriate view of the cyber battlefield by providing users a view on the desired level of abstraction. We introduce context as the temporal and causal relations between events. Event correlation based on event patterns in a declarative language means we specify what to detect, instead how to detect. We describe the Stanford University context-based event correlator that is able to process events on-line, as they are generated. It can be reconfigured dynamically while it is running. On the example of intrusion detection, we show how CEP increases detection rate, reduce false alarms, and detect large-scale attack patterns at an early stage.

Available files: [HTML | zipped PostScript (200 kByte)]