A complete operational architecture of alert correlation

Author

Amiri, Fatemeh ; Gharaee, Hossein ; Enayati, Ali Reza

Author_Institution

Center of Excellence: Control & Intell., Process. of Electr. & Comput. Eng., Univ. of Tehran, Tehran, Iran

fYear

2011

fDate

19-21 Oct. 2011

Firstpage

243

Lastpage

248

Abstract

To defend against various attacks, many security systems such as intrusion detection systems are deployed into hosts and networks to better protect digital assets. However, there are well-known problems related to the current intrusion detection systems. To better understand security threats from various sources and take appropriate response, it is necessary to perform alert correlation. This paper proposes a general alert correlation architecture, including four important components: log management, alert correlation, incident response and knowledge base system. The focus is to describe most important operations in alert correlation component. The proposed architecture includes anomaly-based analysis in alert correlation component. Different techniques for alert correlation are reviewed and compared. This study proposes that a hybrid model of multiple techniques leads to better performance of alert correlation engine.

Keywords

security of data; alert correlation architecture; alert correlation engine; anomaly-based analysis; incident response; intrusion detection systems; knowledge base system; log management; operational architecture; security threats; Computer architecture; Correlation; Intrusion detection; Knowledge based systems; Sensor phenomena and characterization; alert correlation; anomaly-base analysis; correlation techniques; knowledge base;

fLanguage

English

Publisher

ieee

Conference_Titel

Computational Aspects of Social Networks (CASoN), 2011 International Conference on

Conference_Location

Salamanca

Print_ISBN

978-1-4577-1132-9

Type

conf

DOI

10.1109/CASON.2011.6085952

Filename

6085952