A Rule-Based Intrusion Alert Correlation System for Integrated Security Management
As traditional host- and network-based IDSs are to detect a single intrusion based on log data or packet information respectively, they inherently generate a huge number of false alerts due to lack of information on interrelated alarms. In order to reduce the number of false alarms and then detect a real intrusion, a new alert analyzing system is needed. In this paper, we propose a rule-based alert correlation system to reduce the number of false alerts, correlate them, and decide which alerts are parts of the real attack. Our alert correlation system consists of an alert manager, an alert preprocessor, an alert correlator. An alert manager takes charge of storing filtered alerts into our alert database. An alert preprocessor reduces stored alerts to facilitate further correlation analysis. An alert correlator reports global attack plans.
- 2.Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: Proc. Of Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana, December 10-14 (2001)Google Scholar
- 3.Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proc. Of the 2002 IEEE Symposium on Security and Privacy (May 2002)Google Scholar
- 4.Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: 9th ACM conference on computer and communications security, November 18-22, pp. 245–254 (2002)Google Scholar
- 6.Lee, S.H., Park, Y.C., Lee, H.H., Noh, B.N.: The Construction of the Testbed for the Integrated Intrusion Detection Management System. In: Proc. Of 19th KIPS Spring Conference, May 16-17, vol. 10(1), pp. 1969–1972 (2003)Google Scholar
- 7.Debar, H., Dacier, M., Wespi, A.: Research Report: A Revised Taxonomy for Intrusion Detection Systems. Annales des telecommunications 55(7-8), 361–378 (1997)Google Scholar
- 8.Buchheim, T., Erlinger, M., Feinsteing, B., Matthews, G., Pollock, R., Bester, J., Walther, A.: Implementing the Intrusion Detection Exchange Protocol. In: Proc. Of 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana (2001)Google Scholar