TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation

Authors:
Jinqiao Yu;Y. V. Ramana Reddy;Sentil Selliah;Sumitra Reddy;Vijayanand Bharadwaj;Srinivas Kankanahalli
Affiliations:
Department of Mathematics and Computer Science, Illinois Wesleyan University, Bloomington, IL 61701, USA;SIPLab, Concurrent Engineering Research Center, Department of Computer Science and Electrical Engineering, West Virginia University, Morgantown, WV 26506, USA;SIPLab, Concurrent Engineering Research Center, Department of Computer Science and Electrical Engineering, West Virginia University, Morgantown, WV 26506, USA;SIPLab, Concurrent Engineering Research Center, Department of Computer Science and Electrical Engineering, West Virginia University, Morgantown, WV 26506, USA;SIPLab, Concurrent Engineering Research Center, Department of Computer Science and Electrical Engineering, West Virginia University, Morgantown, WV 26506, USA;SIPLab, Concurrent Engineering Research Center, Department of Computer Science and Electrical Engineering, West Virginia University, Morgantown, WV 26506, USA
Venue:
Advanced Engineering Informatics
Year:
2005

Citing 6
Cited 7

Intrusion detection using autonomous agents

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Probabilistic Plan Recognition for Hostile Agents

Proceedings of the Fourteenth International Florida Artificial Intelligence Research Society Conference
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Lightweight agents for intrusion detection

Journal of Systems and Software

An adaptive architecture of applying vulnerability analysis to IDS alerts

ICAIT '08 Proceedings of the 2008 International Conference on Advanced Infocomm Technology
Multilevel event correlation based on collaboration and temporal causal correlation

WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Local area network anomaly detection using association rules mining

WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Alert correlation in collaborative intelligent intrusion detection systems-A survey

Applied Soft Computing
A comprehensive vulnerability based alert management approach for large networks

Future Generation Computer Systems
Network specific vulnerability based alert reduction approach

Security and Communication Networks
RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms

Journal of Network and Systems Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

Current reactive and standalone network security products are not capable of withstanding the onslaught of diversified network threats. As a result, a new security paradigm, where integrated security devices or systems collaborate closely to achieve enhanced protection and provide multi-layer defenses is emerging. In this paper, we present the design of a collaborative architecture for multiple intrusion detection systems to work together to detect real-time network intrusions. The detection is made more efficient and effective by using collaborative intelligent agents, relevant knowledge base and combination of multiple detection sensors. The architecture is composed of three parts: Collaborative Alert Aggregation, Knowledge-based Alert Evaluation and Alert Correlation. The architecture is aimed at reducing the alert overload by correlating results from multiple sensors to generate condensed views, reducing false positives by integrating network and host system information into the evaluation process and correlating events based on logical relations to generate global and synthesized alert report. The architecture is designed as a layer above intrusion detection for post-detection alert analysis and security actions. The first two parts of the architecture have been implemented and the implementation results are presented in this paper.