Title :
Alarm reduction and correlation in defence of IP networks
Author :
Chyssler, Tobias ; Nadjm-Tehrani, Simin ; Burschka, Stefan ; Burbeck, Kalle
Author_Institution :
Dept. of Comput. & Inf. Sci., Linkoping Univ., Sweden
Abstract :
Society´s critical infrastructures are increasingly dependent on IP networks. Intrusion detection and tolerance within data networks is therefore imperative for dependability in other domains such as telecommunications and future energy management networks. Today´s data networks are protected by human operators who are overwhelmed by the massive information overload through false alarm rates of the protection mechanisms. This paper studies the role of alarm reduction and correlation in supporting the security administrator in an enterprise network. We present an architecture that incorporates intrusion detection systems as sensors, and provides improved alarm data to the human operator or to automated actuators. Alarm reduction and correlation via static and adaptive filtering, normalisation, and aggregation is demonstrated on the output from three sensors (Snort, Samhain and Syslog) used in a telecom test network.
Keywords :
IP networks; alarm systems; security of data; sensors; telecommunication security; IP networks; Samhain sensor; Snort sensor; Syslog sensor; adaptive filtering; aggregation; alarm correlation; alarm reduction; automated actuators; data networks; energy management networks; enterprise network security administration; false alarm rates; human operator; intrusion detection system; intrusion tolerance; normalisation; static filtering; telecom test network; Actuators; Adaptive filters; Data security; Energy management; Humans; IP networks; Information security; Intrusion detection; Protection; Sensor systems;
Conference_Titel :
Enabling Technologies: Infrastructure for Collaborative Enterprises, 2004. WET ICE 2004. 13th IEEE International Workshops on
Print_ISBN :
0-7695-2183-5
DOI :
10.1109/ENABL.2004.7
