Title :
Intrusion Alert Correlation based on D-S Evidence Theory
Author :
Haibin, Mei ; Jian, Gong
Author_Institution :
Southeast Univ. Comput. Network Technol., Nanjing
Abstract :
Current intrusion detection systems (IDSs) often trigger a large amount of alerts, most of which are redundant alerts and false positives. Consequently, it is difficult for administrators to understand the alerts and take appropriate actions. Several alert correlation methods have been proposed. However, these methods don´t consider the differences in reliability among alerts reported from multiple IDSs. This paper presents a novel alert correlation approach based on the Dempster-Shafer evidence theory, which regards the alerts as evidence of network attack and combines all the evidence according to the Dempster´s combination rule, inferring whether the attack has taken place. The main advantage of the approach is that it can eliminate the ambiguity and confliction in alerts and reduce the number of alerts. With the DARPA 2000 test dataset, experimental results demonstrate that the approach can reduce more than 69% of reported alerts and decrease the false positive rate efficiently.
Keywords :
computer networks; correlation methods; security of data; telecommunication security; Dempste combination rule; Dempster-Shafer evidence theory; intrusion alert correlation method; intrusion detection systems; network attack; Computer networks; Computer science; Computer security; Correlation; Data security; Information analysis; Intrusion detection; Laboratories; Protection; Testing; D-S evidence theory; alert correlation; intrsion detection system; network security;
Conference_Titel :
Communications and Networking in China, 2007. CHINACOM '07. Second International Conference on
Conference_Location :
Shanghai
Print_ISBN :
978-1-4244-1009-5
Electronic_ISBN :
978-1-4244-1009-5
DOI :
10.1109/CHINACOM.2007.4469406
