Abstract
Until recently, network administrators manually arranged alarms produced by Intrusion Detection Systems (IDSs) to attain a high-level description of threats. As the number of alarms is increasingly growing, automatic tools for alarm clustering have been proposed to provide such a high level description of the attack scenario. In addition, it has been shown that effective threat analysis require the fusion of different sources of information, such as different IDSs, firewall logs, etc. In this paper, we propose a new strategy to perform alarm clustering which produces unified descriptions of attacks from multiple alarms. Tests have been performed on a live network where commercial and open-source IDSs analyzed network traffic.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Haines, J., Ryder, D.K., Tinnel, L., Taylor, S.: Validation of Sensor Alert Correlators. IEEE Security Privacy 1(1), 46–56 (2003)
Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: Proceedings of ACSAC 2001. IEEE Computer Society, Los Alamitos (2001)
Cuppens, F., Miége, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the IEEE Symposium on Security and Privacy (2002)
Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)
Undercoffer, J., Joshi, A., Pinkston, J.: Modeling Computer Attacks: An Ontology for Intrusion Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003)
Curry, D., Debar, H., Feinstein, B.: The Intrusion Detection Message Exchange Format, http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-11.txt
Jain, A.K., Murty, M.N., Flynn, P.J.: Data clustering: a review. ACM Computing Surveys 31(3), 264–323 (1999)
Snort, Lightweight Intrusion Detection for Networks, http://www.snort.org
Prelude Intrusion Detection System, http://www.prelude-ids.org
ISS, Inc.: RealSecure intrusion detection system, http://www.iss.net
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Giacinto, G., Perdisci, R., Roli, F. (2005). Alarm Clustering for Intrusion Detection Systems in Computer Networks. In: Perner, P., Imiya, A. (eds) Machine Learning and Data Mining in Pattern Recognition. MLDM 2005. Lecture Notes in Computer Science(), vol 3587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11510888_19
Download citation
DOI: https://doi.org/10.1007/11510888_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26923-6
Online ISBN: 978-3-540-31891-0
eBook Packages: Computer ScienceComputer Science (R0)