EC-Council: Computer Hacking Forensic Investigator(CHFI-V10) |
||||
Module 8 : Network Forensics |
||||
| Notes available : 7 |
You are not logged in. Please Login for track your learning progress |
|||
Bookmark this Note
Note ID: 107
Event Correlation Approaches
If you want to share the link of this note, please click here to "Copy note link" and share that generated link. Link from URL may change in future.
Numerous methodologies can be applied to conduct event correlation based on log data. The following are some widely used approaches:
Neural Network-Based Approach: This approach uses a neural network to detect the anomalies in the event stream, root causes of fault events, etc.
Codebook-Based Approach: This approach uses a codebook to store a set of events and correlate them
Rule-Based Approach: In this approach, events are correlated according to a set of rules as follows: condition -> action
Field-Based Approach: This is a basic approach where specific events are compared with single or multiple fields in the normalized data
Automated Field Correlation: This method checks and compares all the fields systematically for positive and negative correlation with one another, to determine correlation across one or multiple fields
Packet Parameter/Payload Correlation for Network Management: This approach is used for correlating particular packets with other packets. It can produce a list of potential new attacks by comparing packets with attack signatures
Profile/Fingerprint-Based Approach: A series of data sets can be gathered from forensic event data, such as isolated OS fingerprints, isolated port scans, fingerprint information, and banner snatching, to compare linked attack data to other attacker profiles. This information is used to identify whether a system serves as a relay to a hacker, or is a formerly compromised host, and to detect the same hacker from different locations
Vulnerability-Based Approach: This approach is used to map IDS events that target a particular vulnerable host with the help of a vulnerability scanner. It is also used to deduce an attack on a particular host in advance, and it prioritizes attack data so that you can respond to the trouble spots quickly
Open-Port-Based Correlation: This approach determines the rate of successful attacks by comparing the list of open ports available on the host with those that are under attack
Bayesian Correlation: This is an advanced correlation approach that predicts what an attacker can do next after the attack by studying the statistics and probability theory, and uses only two variables
Time (Clock Time) or Role-based Approach: This approach is used to monitor the behavior of computers and their users, and trigger alerts when anomalies are found
Route Correlation: This approach is used to extract information on the attack route and use it to single out other attack data
 |
Go to notes |  |