• DocumentCode
    3613404
  • Title

    Alert correlation in a cooperative intrusion detection framework

  • Author

    F. Cuppens;A. Miege

  • Author_Institution
    ONERA, Toulouse, France
  • fYear
    2002
  • fDate
    6/24/1905 12:00:00 AM
  • Firstpage
    202
  • Lastpage
    215
  • Abstract
    This paper presents the work we have done within the MIRADOR project to design CRIM, a cooperative module for intrusion detection systems (IDS). This module implements functions to manage, cluster, merge and correlate alerts. The clustering and merging functions recognize alerts that correspond to the same occurrence of an attack and create a new alert that merge data contained in these various alerts. Experiments show that these functions significantly reduce the number of alerts. However, we also observe that alerts we obtain are still too elementary to be managed by a security administrator. The purpose of the correlation function is thus to generate global and synthetic alerts. This paper focuses on the approach we suggest to design this function.
  • Keywords
    "Intrusion detection","Merging","Data security","Pattern matching","Dissolved gas analysis","Collaboration","Laboratories","Information security"
  • Publisher
    ieee
  • Conference_Titel
    Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on
  • ISSN
    1081-6011
  • Print_ISBN
    0-7695-1543-6
  • Type

    conf

  • DOI
    10.1109/SECPRI.2002.1004372
  • Filename
    1004372
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=3613404