Towards identifying true threat from network security data

Authors:
Zhi-Tang Li;Jie Lei;Li Wang;Dong Li;Yang-Ming Ma
Affiliations:
Computer Science Department, Huazhong University of Science and Technology, Wuhan, Hubei, China;Computer Science Department, Huazhong University of Science and Technology, Wuhan, Hubei, China;Computer Science Department, Huazhong University of Science and Technology, Wuhan, Hubei, China;Computer Science Department, Huazhong University of Science and Technology, Wuhan, Hubei, China;Computer Science Department, Huazhong University of Science and Technology, Wuhan, Hubei, China
Venue:
PAISI'07 Proceedings of the 2007 Pacific Asia conference on Intelligence and security informatics
Year:
2007

Citing 13
Cited 0

A data mining analysis of RTID alarms

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Mining Alarm Clusters to Improve Alarm Handling Efficiency

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
Alert Correlation through Triggering Events and Common Resources

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
A novel technique of recognizing multi-stage attack behaviour

IWNAS '06 Proceedings of the 2006 International Workshop on Networking, Architecture, and Storages
A mission-impact-based approach to INFOSEC alarm correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Among the challenges in the field of network security management, one significant problem is the increasing difficulty in identifying the security incidents which pose true threat to the protected network system from tremendous volume of raw security alerts. This paper presents our work on integrated management of network security data for true threat identification within the SATA (Security Alert and Threat Analysis) project. An algorithm for real-time threat analysis of security alerts is presented. Early experiments performed in a branch network of CERNET (China Education and Research Network) including an attack testing sub-network have shown that the system can effectively identify true threats from various security alerts.