论文信息 - Intrusion Alert Correlation Technique Analysis for Heterogeneous Log

Intrusion Alert Correlation Technique Analysis for Heterogeneous Log

Summary Intrusion alert correlation is multi-step processes that receives alerts from heterogeneous log resources as input and produce a high-level description of the malicious activity on the network. The objective of this study is to analyse the current alert correlation technique and identify the significant criteria in each technique that can improve the Intrusion Detection System (IDS) problem such as prone to alert flooding, contextual problem, false alert and scalability. The existing alert correlation techniques had been reviewed and analysed. From the analysis, six capability criteria have been identified to improve the current alert correlation technique. They are capability to do alert reduction, alert clustering, identify multistep attack, reduce false alert, detect known attack and detect unknown attack.

[1] Hervé Debar,et al. Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2] Dan Andersson,et al. Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis , 2001 .

[3] Alfonso Valdes,et al. Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[4] Klaus Julisch,et al. Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[5] Frédéric Cuppens,et al. Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6] Peng Ning,et al. Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[7] Peng Ning,et al. Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[8] Wenke Lee,et al. Statistical Causality Analysis of INFOSEC Alert Data , 2003, RAID.

[9] Klaus Julisch,et al. Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[10] Dan Gorton,et al. Extending Intrusion Detection with Alert Correlation and Intrusion Tolerance , 2003 .

[11] Giovanni Vigna,et al. Real-time intrusion detection alert correlation , 2006 .

[12] Peng Ning,et al. Integrating IDS Alert Correlation and OS-Level Dependency Tracking , 2006, ISI.