Title :
Integrating security operator knowledge and preferences to the alert correlation process
Author :
Bouzar-Benlabiod, Lydia ; Benferhat, Salem ; Boubana-Tebibel, Thouraya
Author_Institution :
Grad. Sch. (STIC), Nat. Sch. of Comput. (ESI), Algiers, Algeria
Abstract :
Intrusion Detection Systems (IDS) are necessary for the system monitoring. However they produce a huge quantity of alerts. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper we propose a new approach for alert correlation which enables the integration of new information to the alert correlation process: Security operator´s knowledge and preferences. This information concerns the monitoring system and the risk level of each alert in according for instance to the operator´s experiences. The representation and the reasoning on these knowledge and preferences are done using the Qualitative Choice Logic (QCL) and its extensions: Prioritized Qualitative Choice Logic (PQCL) and Positive Qualitative Choice Logic (QCL+). Experimental results are achieved on data from a real system monitoring. The result is a set of ordered alerts which satisfies operator´s criteria.
Keywords :
computerised monitoring; security of data; alert correlation process; intrusion detection systems; positive qualitative choice logic; prioritized qualitative choice logic; security operator knowledge; security operator preferences; system monitoring; Cognition; Correlation; Intrusion detection; Monitoring; Polynomials; Quantum cascade lasers; IDS; QCL; alert correlation; knowledge; preferences;
Conference_Titel :
Machine and Web Intelligence (ICMWI), 2010 International Conference on
Conference_Location :
Algiers
Print_ISBN :
978-1-4244-8608-3
DOI :
10.1109/ICMWI.2010.5648098
