Time series: theory and methods
Time series: theory and methods
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining intrusion detection alarms for actionable knowledge
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Mining Alarm Clusters to Improve Alarm Handling Efficiency
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A mission-impact-based approach to INFOSEC alarm correlation
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Evaluation of the diagnostic capabilities of commercial intrusion detection systems
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Using Time Series 3D AlertGraph and False Alert Classification to Analyse Snort Alerts
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Finding Corrupted Computers Using Imperfect Intrusion Prevention System Event Data
SAFECOMP '08 Proceedings of the 27th international conference on Computer Safety, Reliability, and Security
Processing intrusion detection alert aggregates with time series modeling
Information Fusion
Towards insider threat detection using web server logs
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
On the use of different statistical tests for alert correlation: short paper
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Malware characterization through alert pattern discovery
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Real-time classification of IDS alerts with data mining techniques
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
0day anomaly detection made possible thanks to machine learning
WWIC'10 Proceedings of the 8th international conference on Wired/Wireless Internet Communications
CAFS: a novel lightweight cache-based scheme for large-scale intrusion alert fusion
Concurrency and Computation: Practice & Experience
| Hi-index | 0.00 |
Intrusion detection systems create large amounts of alerts. Significant part of these alerts can be seen as background noise of an operational information system, and its quantity typically overwhelms the user. In this paper we have three points to make. First, we present our findings regarding the causes of this noise. Second, we provide some reasoning why one would like to keep an eye on the noise despite the large number of alerts. Finally, one approach for monitoring the noise with reasonable user load is proposed. The approach is based on modeling regularities in alert flows with classical time series methods. We present experimentations and results obtained using real world data.