DocumentCode
3156761
Title
Intrusion Alert Correlation based on D-S Evidence Theory
Author
Haibin, Mei ; Jian, Gong
Author_Institution
Southeast Univ. Comput. Network Technol., Nanjing
fYear
2007
fDate
22-24 Aug. 2007
Firstpage
377
Lastpage
381
Abstract
Current intrusion detection systems (IDSs) often trigger a large amount of alerts, most of which are redundant alerts and false positives. Consequently, it is difficult for administrators to understand the alerts and take appropriate actions. Several alert correlation methods have been proposed. However, these methods don´t consider the differences in reliability among alerts reported from multiple IDSs. This paper presents a novel alert correlation approach based on the Dempster-Shafer evidence theory, which regards the alerts as evidence of network attack and combines all the evidence according to the Dempster´s combination rule, inferring whether the attack has taken place. The main advantage of the approach is that it can eliminate the ambiguity and confliction in alerts and reduce the number of alerts. With the DARPA 2000 test dataset, experimental results demonstrate that the approach can reduce more than 69% of reported alerts and decrease the false positive rate efficiently.
Keywords
computer networks; correlation methods; security of data; telecommunication security; Dempste combination rule; Dempster-Shafer evidence theory; intrusion alert correlation method; intrusion detection systems; network attack; Computer networks; Computer science; Computer security; Correlation; Data security; Information analysis; Intrusion detection; Laboratories; Protection; Testing; D-S evidence theory; alert correlation; intrsion detection system; network security;
fLanguage
English
Publisher
ieee
Conference_Titel
Communications and Networking in China, 2007. CHINACOM '07. Second International Conference on
Conference_Location
Shanghai
Print_ISBN
978-1-4244-1009-5
Electronic_ISBN
978-1-4244-1009-5
Type
conf
DOI
10.1109/CHINACOM.2007.4469406
Filename
4469406
Link To Document