Conceptual Analysis of Intrusion Alarms

Security information about information systems provided by current intrusion detection systems (IDS) is spread over numerous similar and fine-grained alerts. Security operators are consequently overwhelmed by alerts whose content is too poor. Alarm correlation techniques are used to reduce the number of alerts and enhance their content. In this paper, we tackle the alert correlation problem as an information retrieval problem in order to make the handling of alert groups easier.

[1]  Rokia Missaoui,et al.  Experimental Comparison of Navigation in a Galois Lattice with Conventional Information Retrieval Methods , 1993, Int. J. Man Mach. Stud..

[2]  Olivier Ridoux,et al.  A Logic File System , 2003, USENIX Annual Technical Conference, General Track.

[3]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[4]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[5]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[6]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[7]  Olivier Ridoux,et al.  A Logical Generalization of Formal Concept Analysis , 2000, ICCS.

[8]  O. Ridoux,et al.  Introduction to logical information systems , 2004, Inf. Process. Manag..

[9]  G. Jakobson,et al.  Alarm correlation , 1993, IEEE Network.

[10]  Klaus Julisch,et al.  Mining alarm clusters to improve alarm handling efficiency , 2001, Seventeenth Annual Computer Security Applications Conference.

[11]  Bernhard Ganter,et al.  Formal Concept Analysis: Mathematical Foundations , 1998 .