Real-time analysis of intrusion detection alerts via correlation

With the growing deployment of networks and the Internet, the importance of network security has increased. Recently, however, systems that detect intrusions, which are important in security countermeasures, have been unable to provide proper analysis or an effective defense mechanism. Instead, they have overwhelmed human operators with a large volume of intrusion detection alerts. This paper presents a fast and efficient system for analyzing alerts. Our system basically depends on the probabilistic correlation. However, we enhance the probabilistic correlation by applying more systematically defined similarity functions and also present a new correlation component that is absent in other correlation models. The system can produce meaningful information by aggregating and correlating the large volume of alerts and can detect Large-scale attacks such as distributed denial of service (DDoS) in early stage. We measured the processing rate of each elementary component and carried out a scenario-based test in order to analyze the efficiency of our system. Although the system is still imperfect, we were able to reduce the numerous redundant alerts 5.5% of the original volume without distorting the meaning through two-phase reduction. This ability reduces the management overhead drastically and makes the analysis and correlation easy. Moreover, we were able to construct attack scenarios for multistep attacks and detect large-scale attacks in real time. (C) 2005 Elsevier Ltd. All rights reserved.
Publisher
ELSEVIER ADVANCED TECHNOLOGY
Issue Date
2006-05
Language
ENG
Citation

COMPUTERS & SECURITY, v.25, no.3, pp.169 - 183

ISSN
0167-4048
DOI
10.1016/j.cose.2005.09.004
URI
http://hdl.handle.net/10203/359
Appears in Collection
CS-Journal Papers(저널논문)
  • Hit : 601
  • Download : 68
  • Cited 0 times in thomson ci
This item is cited by other documents in WoS
⊙ Detail Information in WoSⓡClick to seewebofscience_button
⊙ Cited 17 items in WoSClick to see citing articles inrecords_button

qr_code

  • mendeley

    citeulike


rss_1.0 rss_2.0 atom_1.0