In this paper, we present a framework design and implementation that provides a scalable solution for two important components of alert correlation: alert verification and event correlation. In our framework, a broker application maintains a database containing IDS alerts while software agents perform alert verification and event correlation of alert instances. Agents are designed to run on multiple hosts to ensure scalability of complex tasks. Agents communicate with the broker via web service architecture, making them easy to build and deploy in heterogeneous networks. Three IDSs are supported to show that the framework can be applied to differing IDS paradigms.
The quality of this reproduction is dependent upon the quality of the copy submitted. Broken or indistinct print, colored or poor quality illustrations and photographs, print bleed-through, substandard margins, and improper alignment can adversely affect reproduction. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if unauthorized copyright material had to be removed, a note will indicate the deletion.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.