Multi-LevelAlert Clustering for Intrusion Detection SensorData
暂无分享,去创建一个
Alertfusion isa promising research areain information assurance today. Toincrease trustworthiness in systems, mostmoderninformation systems deployed in distributed environments employ multiple, diverse sensors that monitor security violations throughout thenetwork Theoutputs ofthesensors mustbefusedinaneffective andintelligent mannerinorder toprovide anoverall viewofthestatus ofsuch systems. A unified architecture forintelligent alert fusion will essentially combine alert prioritization, alert clustering andalert correlation. Inthis paper, weaddress thealert clustering aspect ofsensor datafusion inanintrusion detection environment. A causal knowledge based inference technique withfuzzy cognitive modeling isusedtocluster alerts bydiscovering structural relationships insensor data. I.INTRODUCTION Information assurance isviewed astheperception that systems areoperating asrequired -with expected protection of theavailability, confidentiality andintegrity ofinformation within thesystems. Inorder tomaintain trust insystems, mechanisms aredeployed that monitor anyviolation ofsuch perception. Intrusion detection systems (IDS)s havebeen extensively usedbyresearchers andpractitioners tomaintain trustworthiness insystems. AnIDSclosely monitors systems andtheir networks foranysign ofprobable security violations andthenreports alerts to an appropriate authority. Additionally, defense-in-depth strategies suggest that multiple IDSs/sensors should exist inaprotected system -all reporting onthesecurity health ofthesystem and/or network. Research inIDSimprovement hastakenon new challenges inthepast fewyears. Onesuchcontemporary and promising approach inthis areaisalert fusion inamulti- sensorenvironment. Increased demandsfor"more trustworthy" systems andthefact that asingle sensor cannot detect alltypes ofmisuse/anomalies haveprompted most modeminformation systems toemploy multiple, diverse sensors. Intelligent sensor fusion ofruntime behavior data is critical forsuchsystems toobtain aholistic notion ofa complex systems' runtime status. Therefore, theoutputs of sensors mustbefused inaneffective andintelligent manner in order toprovide anoverall viewofthestatus ofadistributed system.
[1] Bart Kosko,et al. Fuzzy Engineering , 1996 .
[2] Bart Kosko,et al. Fuzzy Cognitive Maps , 1986, Int. J. Man Mach. Stud..
[3] Peter Raeth,et al. Book review: Fuzzy Engineering by Bart Kosko (Prentice Hall, 1997) , 1998, SGAR.
[4] Robert K. Cunningham,et al. Building Scenarios from a Heterogeneous Alert Stream , 2001 .