Alert correlation in collaborative intelligent intrusion detection systems-A survey

被引:114
作者
Elshoush, Huwaida Tagelsir [1 ]
Osman, Izzeldin Mohamed [2 ]
机构
[1] Univ Khartoum, Dept Comp Sci, Fac Math Sci, Khartoum, Sudan
[2] Sudan Univ Sci & Technol, Khartoum, Sudan
关键词
Alert correlation; Collaborative intrusion detection; False positive analysis; Computational intelligence approaches; MODEL;
D O I
10.1016/j.asoc.2010.12.004
中图分类号
TP18 [人工智能理论];
学科分类号
140502 [人工智能];
摘要
As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse-and anomaly-based. A collaborative, intelligent intrusion detection system (CIIDS) is proposed to include both methods, since it is concluded from recent research that the performance of an individual detection engine is rarely satisfactory. In particular, two main challenges in current collaborative intrusion detection systems (CIDSs) research are highlighted and reviewed: CIDSs system architectures and alert correlation algorithms. Different CIDSs system, architectures are explained and compared. The use of CIDSs together with other multiple security systems raise certain issues and challenges in, alert correlation. Several different techniques for alert correlation are discussed. The focus will be on correlation of CIIDS alerts. Computational, Intelligence approaches, together with their applications on IDSs, are reviewed. Methods in soft computing collectively provide understandable, and autonomous solutions to IDS problems. At the end of the review, the paper suggests fuzzy logic, soft computing and other AI techniques, to be exploited to reduce the rate of false alarms while keeping the detection rate high. In conclusion, the paper highlights opportunities for an integrated solution to large-scale CIIDS. (C) 2011 Elsevier B. V. All rights reserved.
引用
收藏
页码:4349 / 4365
页数:17
相关论文
共 72 条
[1]
Intrusion detection alarms reduction using root cause analysis and clustering [J].
Al-Mamory, Safaa O. ;
Zhang, Hongli .
COMPUTER COMMUNICATIONS, 2009, 32 (02) :419-430
[2]
[Anonymous], 2002, Proceedings of the 9th ACM conference on Computer and communications security, CCS'02, DOI DOI 10.1145/586110.586144
[3]
AUTREL F, 2005, P 4 C SEC NETW
[4]
A hybrid intrusion detection system design for computer network security [J].
Aydin, M. Ali ;
Zaim, A. Halim ;
Ceylan, K. Goekhan .
COMPUTERS & ELECTRICAL ENGINEERING, 2009, 35 (03) :517-526
[5]
BRIDGES SM, 2000, 12 ANN CAN IN PRESS
[6]
CAI M, 2006, IEEE T PARALLEL DIST
[7]
Cuppens F, 2002, P IEEE S SECUR PRIV, P202, DOI 10.1109/SECPRI.2002.1004372
[8]
Cuppens F., 2001, P 17 ANN COMP SEC AP
[9]
CUPPENS F, 2002, 2 INT C HYBR INT SYS
[10]
DAIN O, 2001, P ACM CCS WORKSH DAT