IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
NetSTAT: a network-based intrusion detection system
Journal of Computer Security
A data mining analysis of RTID alarms
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A requires/provides model for computer attacks
Proceedings of the 2000 workshop on New security paradigms
An algebra for composing access control policies
ACM Transactions on Information and System Security (TISSEC)
ADeLe: an attack description language for knowledge-based intrustion detection
Sec '01 Proceedings of the 16th international conference on Information security: Trusted information: the new decade challenge
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
Experience with EMERALD to Date
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
A propositional policy algebra for access control
ACM Transactions on Information and System Security (TISSEC)
Detecting Anomalous and Unknown Intrusions Against Programs
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Designing and implementing a family of intrusion detection systems
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
A Systematic Approach to Multi-Stage Network Attack Analysis
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
Alert Correlation through Triggering Events and Common Resources
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Beyond separation of duty: an algebra for specifying high-level security policies
Proceedings of the 13th ACM conference on Computer and communications security
Modeling network intrusion detection alerts for correlation
ACM Transactions on Information and System Security (TISSEC)
M2D2: a formal data model for IDS alert correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
| Hi-index | 0.00 |
Most of the existing intrusion detection systems (IDS) oftengenerate large numbers of alerts which contain numerous false positivesand non relevant positives. Alert correlation techniques aim to aggregateand combine the outputs of single/multiple IDS to provide a conciseand broad view of the security state of network. Capability based alertcorrelator uses notion of capability to correlate IDS alerts where capabilityis the abstract view of attack extracted from IDS alerts/alert. Tomake correlation process semantically correct and systematic, there is astrong need to identify the algebraic and set properties of capability. Inthis work, we identify the potential algebraic properties of capability interms of operations, relations and inferences. These properties give betterinsight to understand the logical association between capabilities whichwill be helpful in making the system modular. This paper also presentsvariant of correlation algorithm by using these algebraic properties. Tomake these operations more realistic, existing capability model has beenempowered by adding time-based notion which helps to avoid temporalambiguity between capability instances. The comparison between basicmodel and proposed model is exhibited by demonstrating cases in whichfalse positives have been removed that occurred due to temporal ambiguity.