Title :
Comprehensive approach to intrusion detection alert correlation
Author :
Valeur, Fredrik ; Vigna, Giovanni ; Kruegel, Christopher ; Kemmerer, Richard A.
Author_Institution :
Dept. of Comput. Sci., California Univ., Santa Barbara, CA, USA
Abstract :
Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. This paper presents a general correlation model that includes a comprehensive set of components and a framework based on this model. A tool using the framework has been applied to a number of well-known intrusion detection data sets to identify how each component contributes to the overall goals of correlation. The results of these experiments show that the correlation components are effective in achieving alert reduction and abstraction. They also show that the effectiveness of a component depends heavily on the nature of the data set analyzed.
Keywords :
correlation methods; security of data; alert abstraction; alert reduction; attempted intrusions; correlation components; correlation data sets; general correlation model; intrusion detection alert correlation; Bandwidth; Communication system security; Data analysis; Event detection; Intrusion detection; Local area networks; Operating systems; Performance analysis; Portable computers; Spine; 65; Index Terms- Intrusion detection; alert correlation; alert reduction; correlation data sets.;
Journal_Title :
Dependable and Secure Computing, IEEE Transactions on
DOI :
10.1109/TDSC.2004.21
