Towards Implementing Agent Based Correlation Model For Real-Time Intrusion Detection Alerts

Alert correlation is a promising technique in intrusion detection. It analyzes the alerts from one or more intrusion detection system and provides a compact summarized report and high-level view of attempted intrusions which highly improves security effectiveness. Correlation component is a procedure which aggregates alerts according to certain criteria. The aggregated alerts could have common features or represent steps of pre-defined scenario attacks. Correlation approaches composed of a single component or a comprehensive set of components. The effectiveness of a component depends heavily on the nature of the real alerts or the dataset analyzed. The order of correlation components affects the correlation process performance. Moreover not all components should be used for different dataset. This paper presents implementation of an Agent Based Correlation Model for real-time intrusion detection alerts. Learning agent learns the nature of alerts within a network then guides the whole correlation process and components in such a suitable way of which components could be used and in which order. The model improves the performance of correlation process by selecting the proper components to be used. The simulation results showed that ABCM model assures minimum alerts to be processed on each component depending on the dataset and minimum time for correlation process.

[1]  Shahrin Sahib,et al.  Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[2]  Tian Shengfeng,et al.  A Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques , 2006 .

[3]  Mu Cheng Adaptive Alert Aggregation in Intrusion Detection Alert Management & Intrusion Response System , 2007 .

[4]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[5]  Christopher Leckie,et al.  Decentralized multi-dimensional alert correlation for collaborative intrusion detection , 2009, J. Netw. Comput. Appl..

[6]  Peng Ning,et al.  Integrating IDS Alert Correlation and OS-Level Dependency Tracking , 2006, ISI.

[7]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[8]  Giovanni Vigna,et al.  Real-time intrusion detection alert correlation , 2006 .

[9]  Ayman M. Bahaa Eldin,et al.  Agent based correlation model for intrusion detection alerts , 2010, 2010 IEEE International Conference on Intelligence and Security Informatics.

[10]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[11]  David A. Curry,et al.  Intrusion detection message exchange format: Extensible markup language (xml) document type de nitio , 2001 .

[12]  Changzhen Hu,et al.  Hierarchical Distributed Alert Correlation Model , 2009, 2009 Fifth International Conference on Information Assurance and Security.