A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
Time Series Analysis: Forecasting and Control
Time Series Analysis: Forecasting and Control
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining intrusion detection alarms for actionable knowledge
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Mining Alarm Clusters to Improve Alarm Handling Efficiency
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
Traffic matrix tracking using Kalman filters
ACM SIGMETRICS Performance Evaluation Review - Special issue on the First ACM SIGMETRICS Workshop on Large Scale Network Inference (LSNI 2005)
Time series modeling for IDS alert management
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
IEEE Transactions on Signal Processing
Automating the Analysis of Honeypot Data (Extended Abstract)
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Real-time classification of IDS alerts with data mining techniques
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
An online adaptive approach to alert correlation
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
International Journal of Communication Systems
Multi-layer episode filtering for the multi-step attack detection
Computer Communications
CAFS: a novel lightweight cache-based scheme for large-scale intrusion alert fusion
Concurrency and Computation: Practice & Experience
Alert correlation using artificial immune recognition system
International Journal of Bio-Inspired Computation
Real-time detection of application-layer DDoS attack using time series analysis
Journal of Control Science and Engineering - Special issue on Advances in Methods for Networked and Cyber-Physical System
Hi-index | 0.00 |
The main use of intrusion detection systems (IDS) is to detect attacks against information systems and networks. Normal use of the network and its functioning can also be monitored with an IDS. It can be used to control, for example, the use of management and signaling protocols, or the network traffic related to some less critical aspects of system policies. These complementary usages can generate large numbers of alerts, but still, in operational environment, the collection of such data may be mandated by the security policy. Processing this type of alerts presents a different problem than correlating alerts directly related to attacks or filtering incorrectly issued alerts. We aggregate individual alerts to alert flows, and then process the flows instead of individual alerts for two reasons. First, this is necessary to cope with the large quantity of alerts - a common problem among all alert correlation approaches. Second, individual alert's relevancy is often indeterminable, but irrelevant alerts and interesting phenomena can be identified at the flow level. This is the particularity of the alerts created by the complementary uses of IDSes. Flows consisting of alerts related to normal system behavior can contain strong regularities. We propose to model these regularities using non-stationary autoregressive models. Once modeled, the regularities can be filtered out to relieve the security operator from manual analysis of true, but low impact alerts. We present experimental results using these models to process voluminous alert flows from an operational network.