Advertisement

ACARM-ng: Next Generation Correlation Framework

  • Bartłomiej Balcerek
  • Bartosz Szurgot
  • Mariusz Uchroński
  • Wojciech Waga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7136)

Abstract

ACARM-ng is an extensible, plug-in-based alert correlation framework. It introduces abstractions over correlation, reporting, reaction, gathering data from multiple sources and data storage. ACARM-ng supports real-time reporting, meaning that alerts can be reported while still being correlated. For an administrator, a Web User Interface is provided, to present gathered and correlated data in a consistent way. The system makes use of multi-core architectures and is written in C++.

Keywords

correlation alerts IDMEF framework IDS IPS 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    ACARM home page (first version) (2009), http://www.acarm.wcss.wroc.pl
  2. 2.
    ACARM-ng home page (2010), http://www.acarm.wcss.wroc.pl
  3. 3.
    Adams, J., William J.: Lynn meets with NATO leaders for Cybersecurity Discussions (2010)Google Scholar
  4. 4.
  5. 5.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy, pp. 202–215 (2002)Google Scholar
  6. 6.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1 (2004)Google Scholar
  7. 7.
    Gadu-Gadu instant messaging protocol, http://www.gadu-gadu.pl
  8. 8.
    Debar, H., Curry, D., Feinstein, B.: RFC 4765: The intrusion detection message exchange format (IDMEF) (2007)Google Scholar
  9. 9.
    Helman, P., Liepins, G., Richards, W.: Foundations of intrusion detection. In: The IEEE Computer Security Foundations Workshop V (1992)Google Scholar
  10. 10.
    Jabber XMMP-based communicator, http://www.jabber.org
  11. 11.
    Jones, A.K., Sielken, R.S.: Computer system intrusion detection: A survey. Tech. rep., University of Virginia, Charlottesville, VA (1999)Google Scholar
  12. 12.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Nova – computing cluster at WCSS, http://www.kdm.wcss.wroc.pl/wiki/Nova
  14. 14.
    OSSEC – host-based intrusion detection system, http://www.ossec.net
  15. 15.
    OSSIM – open source security information management, http://www.ossim.net
  16. 16.
    Postgresql open source database, http://www.postgresql.org
  17. 17.
    Prelude intrusion detection system, http://www.prelude-technologies.com
  18. 18.
    Rootkit Hunter project, http://rkhunter.sourceforge.net
  19. 19.
    Rose, M.: RFC 3080: BEEP – The Blocks Extensible Exchange Protocol (2011)Google Scholar
  20. 20.
    Snort intrusion detection system, http://www.snort.org
  21. 21.
    SQLite – server-less, transactional database, http://www.sqlite.org
  22. 22.
    Sutter, H.: The free lunch is over: a fundamental turn toward concurrency in software (2009)Google Scholar
  23. 23.
    Wrocław Centre for Networking and Supercomputing, http://www.wcss.wroc.pl

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bartłomiej Balcerek
    • 1
  • Bartosz Szurgot
    • 1
  • Mariusz Uchroński
    • 1
  • Wojciech Waga
    • 1
  1. 1.WCSSWrocław University of TechnologyWrocławPoland

Personalised recommendations