Finding Corrupted Computers Using Imperfect
Intrusion Prevention System Event Data 1st
edition by Danielle Chrun, Michel Cukier, Gerry
Sneeringer ISBN 3540876977 9783540876977 pdf
download
https://ebookball.com/product/finding-corrupted-computers-using-
imperfect-intrusion-prevention-system-event-data-1st-edition-by-
danielle-chrun-michel-cukier-gerry-sneeringer-
isbn-3540876977-9783540876977-11430/
Explore and download more ebooks or textbooks
at ebookball.com
, Get Your Digital Files Instantly: PDF, ePub, MOBI and More
Quick Digital Downloads: PDF, ePub, MOBI and Other Formats
Resilience in the Aviation System 1st edition by Antonio Chialastri,
Simone Pozzi ISBN 3540876977 9783540876977
https://ebookball.com/product/resilience-in-the-aviation-
system-1st-edition-by-antonio-chialastri-simone-pozzi-
isbn-3540876977-9783540876977-13626/
Integrating Safety Analyses and Component-Based Design 1st edition by
Dominik Domis, Mario Trapp ISBN 3540876977 9783540876977
https://ebookball.com/product/integrating-safety-analyses-and-
component-based-design-1st-edition-by-dominik-domis-mario-trapp-
isbn-3540876977-9783540876977-11036/
Analyzing Fault Susceptibility of ABS Microcontroller 1st edition by
Dawid Trawczynski, Janusz Sosnowski, Piotr Gawkowski ISBN 3540876977
9783540876977
https://ebookball.com/product/analyzing-fault-susceptibility-of-
abs-microcontroller-1st-edition-by-dawid-trawczynski-janusz-
sosnowski-piotr-gawkowski-isbn-3540876977-9783540876977-11272/
Understanding dental caries From Pathogenesis to Prevention and
Therapy 1st Edition by Michel Goldberg ISBN 9783319305523 3319305522
https://ebookball.com/product/understanding-dental-caries-from-
pathogenesis-to-prevention-and-therapy-1st-edition-by-michel-
goldberg-isbn-9783319305523-3319305522-78/
,SafeSpection A Systematic Customization Approach for Software Hazard
Identification 1st edition by Christian Denger, Mario Trapp, Peter
Liggesmeyer ISBN 3540876977 9783540876977
https://ebookball.com/product/safespection-a-systematic-
customization-approach-for-software-hazard-identification-1st-
edition-by-christian-denger-mario-trapp-peter-liggesmeyer-
isbn-3540876977-9783540876977-11906/
Early Prototyping of Wireless Sensor Network Algorithms in PVS 1st
edition by Cinzia Bernardeschi, Paolo Masci, Holger Pfeifer ISBN
3540876977 9783540876977
https://ebookball.com/product/early-prototyping-of-wireless-
sensor-network-algorithms-in-pvs-1st-edition-by-cinzia-
bernardeschi-paolo-masci-holger-pfeifer-
isbn-3540876977-9783540876977-11834/
Understanding Dental Caries From Pathogenesis to Prevention and
Therapy 1st edition by Michel Goldberg 9783319305523 3319305522
https://ebookball.com/product/understanding-dental-caries-from-
pathogenesis-to-prevention-and-therapy-1st-edition-by-michel-
goldberg-9783319305523-3319305522-5902/
The Advanced Electric Power Grid Complexity Reduction Techniques for
Reliability Modeling 1st edition by Ayman Faza, Sahra Sedigh, Bruce
McMillin ISBN 3540876977 9783540876977
https://ebookball.com/product/the-advanced-electric-power-grid-
complexity-reduction-techniques-for-reliability-modeling-1st-
edition-by-ayman-faza-sahra-sedigh-bruce-mcmillin-
isbn-3540876977-9783540876977-13416/
Modeling and Analyzing Disaster Recovery Plans as Business Processes
1st edition by Andrzej Zalewski, Piotr Sztandera, Marcin Ludzia, Marek
Zalewski ISBN 3540876977 9783540876977
https://ebookball.com/product/modeling-and-analyzing-disaster-
recovery-plans-as-business-processes-1st-edition-by-andrzej-
zalewski-piotr-sztandera-marcin-ludzia-marek-zalewski-
isbn-3540876977-9783540876977-13734/
, Finding Corrupted Computers Using Imperfect Intrusion
Prevention System Event Data
Danielle Chrun1, Michel Cukier1, and Gerry Sneeringer2
1
Center for Risk and Reliability, University of Maryland
College Park, Maryland 20742-7531
2
Office of Information Technology, University of Maryland
College Park, Maryland 20742-7531
{chrun,mcukier,sneeri}@umd.edu
Abstract. With the increase of attacks on the Internet, a primary concern for
organizations is how to protect their network. The objectives of a security team
are 1) to prevent external attackers from launching successful attacks against
organization computers that could become compromised, 2) to ensure that or-
ganization computers are not vulnerable (e.g., fully patched) so that in either case
the organization computers do not start launching attacks. The security team can
monitor and block malicious activity by using devices such as intrusion preven-
tion systems. However, in large organizations, such monitoring devices could
record a high number of events. The contributions of this paper are 1) to intro-
duce a method that ranks potentially corrupted computers based on imperfect
intrusion prevention system event data, and 2) to evaluate the method based on
empirical data collected at a large organization of about 40,000 computers. The
evaluation is based on the judgment of a security expert of which computers were
indeed corrupted. On the one hand, we studied how many computers classified as
of high concern or of concern were indeed corrupted (i.e., true positives). On the
other hand, we analyzed how many computers classified as of lower concern
were in fact corrupted (i.e., false negatives).
Keywords: Security Metrics, Empirical Study, Intrusion Prevention Systems.
1 Introduction
With the increase of attacks on the Internet, a primary concern for organizations is how to
protect their network. To do so, organizations monitor their traffic using security devices
such as intrusion detection systems or intrusion prevention systems. The monitored ac-
tivity provides some insight into an organization’s security and identifies potentially
corrupted computers. While in some organizations the quantity of monitored traffic is
manageable, it becomes a hassle to analyze security data for large organizations. For
example, intrusion prevention systems could record thousands of alerts per day and the
security team cannot investigate every alert. Moreover, although intrusion prevention
systems are aimed at detecting and blocking malicious activity, they also raise false
alarms. Due to 1) the potentially large quantity of data to deal with, and 2) the number of
M.D. Harrison and M.-A. Sujan (Eds.): SAFECOMP 2008, LNCS 5219, pp. 221–234, 2008.
© Springer-Verlag Berlin Heidelberg 2008
Intrusion Prevention System Event Data 1st
edition by Danielle Chrun, Michel Cukier, Gerry
Sneeringer ISBN 3540876977 9783540876977 pdf
download
https://ebookball.com/product/finding-corrupted-computers-using-
imperfect-intrusion-prevention-system-event-data-1st-edition-by-
danielle-chrun-michel-cukier-gerry-sneeringer-
isbn-3540876977-9783540876977-11430/
Explore and download more ebooks or textbooks
at ebookball.com
, Get Your Digital Files Instantly: PDF, ePub, MOBI and More
Quick Digital Downloads: PDF, ePub, MOBI and Other Formats
Resilience in the Aviation System 1st edition by Antonio Chialastri,
Simone Pozzi ISBN 3540876977 9783540876977
https://ebookball.com/product/resilience-in-the-aviation-
system-1st-edition-by-antonio-chialastri-simone-pozzi-
isbn-3540876977-9783540876977-13626/
Integrating Safety Analyses and Component-Based Design 1st edition by
Dominik Domis, Mario Trapp ISBN 3540876977 9783540876977
https://ebookball.com/product/integrating-safety-analyses-and-
component-based-design-1st-edition-by-dominik-domis-mario-trapp-
isbn-3540876977-9783540876977-11036/
Analyzing Fault Susceptibility of ABS Microcontroller 1st edition by
Dawid Trawczynski, Janusz Sosnowski, Piotr Gawkowski ISBN 3540876977
9783540876977
https://ebookball.com/product/analyzing-fault-susceptibility-of-
abs-microcontroller-1st-edition-by-dawid-trawczynski-janusz-
sosnowski-piotr-gawkowski-isbn-3540876977-9783540876977-11272/
Understanding dental caries From Pathogenesis to Prevention and
Therapy 1st Edition by Michel Goldberg ISBN 9783319305523 3319305522
https://ebookball.com/product/understanding-dental-caries-from-
pathogenesis-to-prevention-and-therapy-1st-edition-by-michel-
goldberg-isbn-9783319305523-3319305522-78/
,SafeSpection A Systematic Customization Approach for Software Hazard
Identification 1st edition by Christian Denger, Mario Trapp, Peter
Liggesmeyer ISBN 3540876977 9783540876977
https://ebookball.com/product/safespection-a-systematic-
customization-approach-for-software-hazard-identification-1st-
edition-by-christian-denger-mario-trapp-peter-liggesmeyer-
isbn-3540876977-9783540876977-11906/
Early Prototyping of Wireless Sensor Network Algorithms in PVS 1st
edition by Cinzia Bernardeschi, Paolo Masci, Holger Pfeifer ISBN
3540876977 9783540876977
https://ebookball.com/product/early-prototyping-of-wireless-
sensor-network-algorithms-in-pvs-1st-edition-by-cinzia-
bernardeschi-paolo-masci-holger-pfeifer-
isbn-3540876977-9783540876977-11834/
Understanding Dental Caries From Pathogenesis to Prevention and
Therapy 1st edition by Michel Goldberg 9783319305523 3319305522
https://ebookball.com/product/understanding-dental-caries-from-
pathogenesis-to-prevention-and-therapy-1st-edition-by-michel-
goldberg-9783319305523-3319305522-5902/
The Advanced Electric Power Grid Complexity Reduction Techniques for
Reliability Modeling 1st edition by Ayman Faza, Sahra Sedigh, Bruce
McMillin ISBN 3540876977 9783540876977
https://ebookball.com/product/the-advanced-electric-power-grid-
complexity-reduction-techniques-for-reliability-modeling-1st-
edition-by-ayman-faza-sahra-sedigh-bruce-mcmillin-
isbn-3540876977-9783540876977-13416/
Modeling and Analyzing Disaster Recovery Plans as Business Processes
1st edition by Andrzej Zalewski, Piotr Sztandera, Marcin Ludzia, Marek
Zalewski ISBN 3540876977 9783540876977
https://ebookball.com/product/modeling-and-analyzing-disaster-
recovery-plans-as-business-processes-1st-edition-by-andrzej-
zalewski-piotr-sztandera-marcin-ludzia-marek-zalewski-
isbn-3540876977-9783540876977-13734/
, Finding Corrupted Computers Using Imperfect Intrusion
Prevention System Event Data
Danielle Chrun1, Michel Cukier1, and Gerry Sneeringer2
1
Center for Risk and Reliability, University of Maryland
College Park, Maryland 20742-7531
2
Office of Information Technology, University of Maryland
College Park, Maryland 20742-7531
{chrun,mcukier,sneeri}@umd.edu
Abstract. With the increase of attacks on the Internet, a primary concern for
organizations is how to protect their network. The objectives of a security team
are 1) to prevent external attackers from launching successful attacks against
organization computers that could become compromised, 2) to ensure that or-
ganization computers are not vulnerable (e.g., fully patched) so that in either case
the organization computers do not start launching attacks. The security team can
monitor and block malicious activity by using devices such as intrusion preven-
tion systems. However, in large organizations, such monitoring devices could
record a high number of events. The contributions of this paper are 1) to intro-
duce a method that ranks potentially corrupted computers based on imperfect
intrusion prevention system event data, and 2) to evaluate the method based on
empirical data collected at a large organization of about 40,000 computers. The
evaluation is based on the judgment of a security expert of which computers were
indeed corrupted. On the one hand, we studied how many computers classified as
of high concern or of concern were indeed corrupted (i.e., true positives). On the
other hand, we analyzed how many computers classified as of lower concern
were in fact corrupted (i.e., false negatives).
Keywords: Security Metrics, Empirical Study, Intrusion Prevention Systems.
1 Introduction
With the increase of attacks on the Internet, a primary concern for organizations is how to
protect their network. To do so, organizations monitor their traffic using security devices
such as intrusion detection systems or intrusion prevention systems. The monitored ac-
tivity provides some insight into an organization’s security and identifies potentially
corrupted computers. While in some organizations the quantity of monitored traffic is
manageable, it becomes a hassle to analyze security data for large organizations. For
example, intrusion prevention systems could record thousands of alerts per day and the
security team cannot investigate every alert. Moreover, although intrusion prevention
systems are aimed at detecting and blocking malicious activity, they also raise false
alarms. Due to 1) the potentially large quantity of data to deal with, and 2) the number of
M.D. Harrison and M.-A. Sujan (Eds.): SAFECOMP 2008, LNCS 5219, pp. 221–234, 2008.
© Springer-Verlag Berlin Heidelberg 2008
