Alert prioritization in intrusion detection systems

被引：34

作者：

Alsubhi, Khahd ^{[1
]}

Al-Shaer, Ehab ^{[1
]}

Boutaba, Raouf ^{[1
]}

机构：

[1] Univ Waterloo, David R Cheriton Sch Comp Sci, Waterloo, ON N2L 3G1, Canada

来源：

2008 IEEE NETWORK OPERATIONS AND MANAGEMENT SYMPOSIUM, VOLS 1 AND 2 | 2008年

关键词：

alert management; alert prioritization;

D O I：

10.1109/NOMS.2008.4575114

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Intrusion Detection Systems (IDSs) are designed to monitor user and/or network activity and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large; making the task of security analysts difficult to manage. Furthermore, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide imprecise results. In this paper, we propose a fuzzy-logic based technique for scoring and prioritizing alerts generated by an IDS(1). In addition, we present an alert rescoring technique that leads to a further reduction of the number of alerts. The approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and our scoring and prioritization scheme are presented.

引用

页码：33 / 40

页数：8

共 22 条

[1]

ABEDIN M, 2006, QOP 06 P 2 ACM WORKS

[2]

[Anonymous], FUZZY LOGIC TOOLBOX

[3]

[Anonymous], FALSE POSITIVES USER

[4]

Axelsson S., 2000, ACM Transactions on Information and Systems Security, V3, P186, DOI 10.1145/357830.357849

[5]

Cuppens F, 2000, LECT NOTES COMPUT SC, V1907, P197

[6]

Curry D., 2007, INTRUSION DETECTION

[7] Towards a taxonomy of intrusion-detection systems [J].

Debar, H ;

Dacier, M ;

Wespi, A .

COMPUTER NETWORKS-THE INTERNATIONAL JOURNAL OF COMPUTER AND TELECOMMUNICATIONS NETWORKING, 1999, 31 (08) :805-822

[8]

Debar H., 2001, RECENT ADV INTRUSION

[9]

Feinstein B., 2007, INTRUSION DETECTION

[10]

JULISCH K, 2003, CLUSTERING INTRUSION

← 1 2 3 →