Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing
Alert Verification Based on Attack Classification in Collaborative Intrusion Detection
SNPD '07 Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing - Volume 02
TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation
Advanced Engineering Informatics
Security alert correlation using growing neural gas
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Hi-index | 0.00 |
Intrusion detection System (IDS) always focus on low-level attacks and raise attacks independently, though there may be logical connections between them. Meanwhile, the number of alerts becomes unmanageable including actual alerts mixed with false alerts. Therefore, improved techniques are needed. The general idea in this paper is to introduce collaboration achieved by taking advantage of various kinds of contextual information and thus enable IDS to correctly identify successful attacks while simultaneously reducing the number of false positives. In this paper, a multilevel event correlation structure is proposed by firstly assigning each alert a value of confidence using contextual information and then correlates the preprocessed alerts based on improved temporal causal correlation combining with confidence value. At the end, a scenario graph and a high-level alert with final confidence are presented, which indicates the reliability of attacks launched through specific path. Through the experimental results with DARPA Data sets 2000 from Lincoln laboratory, it demonstrates the potential of the proposed techniques.