Active event correlation in Bro IDS to detect multi-stage attacks

Many recent computer attacks have been launched in multiple stages to evade the detection of existing intrusion detection systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challenging for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, active event correlation (AEC), which collects and correlates suspicious network events inside a network intrusion detection system (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS (Paxson, 1999). Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts