Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
A Trend Analysis of Exploitations
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Correlating Alerts Using Prerequisites of Intrusions
Correlating Alerts Using Prerequisites of Intrusions
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
IEEE Security and Privacy
ICIMP '08 Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection
Intrusion detection alarms reduction using root cause analysis and clustering
Computer Communications
A logic-based model to support alert correlation in intrusion detection
Information Fusion
TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation
Advanced Engineering Informatics
Alarm clustering for intrusion detection systems in computer networks
Engineering Applications of Artificial Intelligence
Data mining and machine learning-Towards reducing false positives in intrusion detection
Information Security Tech. Report
A mission-impact-based approach to INFOSEC alarm correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Real-time classification of IDS alerts with data mining techniques
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Journal of Network and Systems Management
Network specific false alarm reduction in intrusion detection system
Security and Communication Networks
Hi-index | 0.00 |
Traditional intrusion detection systems are known for triggering large volumes of alerts. An average commercial intrusion detection system reports thousands of alerts on daily basis. A large proportion of these alerts are false alerts. In the field of alert management, alert verification is cited as critical component in determining the success of intrusions. It helps to eliminate any alert that does not have a corresponding vulnerability in a network, hence improving the effectiveness of alert management approaches. Alert verification alone cannot guarantee alerts of high quality because the validated alerts may contain massive number of redundant alerts. The analysts who review alerts are likely to take longer time to understand the complete security incident because it would involve evaluating each single redundant alert. Consequently, the analysts would not only encounter difficulties when taking the correct decision but would also take longer time to respond against the intrusions. Therefore, the unnecessary alerts diminish the value and urgency of the relevant alerts. This paper seeks to address the aforementioned issue to strengthen the vulnerability-based alert management approaches. Our approach verifies alerts prior to merging them. Central to this approach is the use of two components: verifier and alert merger. The verifier component improves the quality of alerts by validating them with enhanced vulnerability assessment data. The alert merger component reduces huge number of redundant alerts. Experiments conducted in our test bed have demonstrated the success of our approach in reducing most of the unnecessary alerts for a range of attacks with high accuracy yet closely maintaining the detection rate. Copyright © 2012 John Wiley & Sons, Ltd.