A Cognitive Model for Alert Correlation in a Distributed Environment

Siraj, Ambareen; Vaughn, Rayford B.

doi:10.1007/11427995_18

Cited by 13 publications

(5 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In terms of Prioritization, the alerts are categorized based on their severity, e.g., using attack ranks [14]. To solve problems of alert correlation, a variety of disciplines are used, e.g., machine learning, data mining [11], or fuzzy techniques [12]. Most of the efforts do not consider the aspect of performance, which is needed in case of huge amounts of alerts.…”

Section: A Alert Correlationmentioning

confidence: 99%

“…The correlation algorithms [1] can be classified as: Scenario-based correlation [7], Rule-based correlation [8], Statistical correlation [9], and Temporal correlation [10]. False alert reduction can be done by using such techniques as data mining [11] or fuzzy techniques [12]. Attack strategy analysis often depends on reasoning and prediction of attacks missed by the IDS [13].…”

Section: A Alert Correlationmentioning

confidence: 99%

See 1 more Smart Citation

A Flexible and Efficient Alert Correlation Platform for Distributed IDS

Roschke

Cheng

Meinel

2010

2010 Fourth International Conference on Network and System Security

View full text Add to dashboard Cite

Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. The problem of false-positive alerts is a popular existing problem for most of IDS approaches. The solution to address this problem is correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished as soon as possible, which is a challenging task as the amount of alerts produced in large scale deployments of distributed IDS is significantly high. We identify the data storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. We propose and implement the utilization of memory-supported algorithms and a column-oriented database for correlation and clustering in an extensible IDS correlation platform. The utilization of the column-oriented database, an In-Memory Alert Storage, and memory-based index tables leads to significant improvements on the performance. Different types of correlation modules can be integrated and compared on this platform. A plugin concept for Receivers provides flexible integration of various sensors and additional IDS management systems. The platform can be distributed over multiple processing units to share memory and processing power. A standardized interface is designed to provide a unified view of result reports for end users. The efficiency of the proposed platform is tested by practical experiments with several alert storage approaches, different simple algorithms, as well as local and distributed deployment.

show abstract

Section: A Alert Correlationmentioning

confidence: 99%

Section: A Alert Correlationmentioning

confidence: 99%

A Flexible and Efficient Alert Correlation Platform for Distributed IDS

Roschke

Cheng

Meinel

2010

2010 Fourth International Conference on Network and System Security

View full text Add to dashboard Cite

show abstract

“…The first category involves expert knowledge used to construct a system for classifying, correlating, and ranking alerts based on external knowedge of existing attacks [3] [10]. Rules may also be aggregated using userdefined similarity metrics based on expert knowledge [3], and some alerts may be completely ignored outright if prior knowledge suggests that they are irrelevant [13].…”

Section: Related Workmentioning

confidence: 99%

Reducing the Cognitive Load on Analysts through Hamming Distance Based Alert Aggregation

Mell¹,

Harang²

2014

IJNSA

View full text Add to dashboard Cite

show abstract

“…if a set of alerts shows the same time pattern of occurrence, the alerts are correlated. False alert reduction can be done by using such techniques as data mining [26] or fuzzy techniques [27]. Attack strategy analysis often depends on reasoning and prediction of attacks missed by the IDS [28].…”

Section: Alert Correlation and Its Performancementioning

confidence: 99%

“…To solve problems of alert correlation, a variety of disciplines are used, e.g. machine learning, data mining [26], or fuzzy techniques [27]. Most of the efforts do not consider the aspect of performance, which is needed in the case of huge amounts of alerts.…”

Section: Alert Correlation and Its Performancementioning

confidence: 99%

An alert correlation platform for memory‐supported techniques

Roschke

Cheng

Meinel

2011

Concurrency and Computation

View full text Add to dashboard Cite

SUMMARY Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. False‐positive alerts are a popular problem for most IDS approaches. The solution to address this problem is to enhance the detection process by correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished fast, which is a challenging task as the amount of alerts in large‐scale IDS deployments is significantly high. We identifytextitdata storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. We propose and implement a highly efficient alert correlation platform. For storage, a column‐based database, an In‐Memory alert storage, and memory‐based index tables lead to significant improvements of the performance. For processing, algorithms are designed and implemented which are optimized for In‐Memory databases, e.g. an attack graph‐based correlation algorithm. The platform can be distributed over multiple processing units to share memory and processing power. A standardized interface is designed to provide a unified view of result reports for end users. The efficiency of the platform is tested by practical experiments with several alert storage approaches, multiple algorithms, as well as a local and a distributed deployment. Copyright © 2011 John Wiley & Sons, Ltd.

show abstract

A Cognitive Model for Alert Correlation in a Distributed Environment

Cited by 13 publications

References 6 publications

A Flexible and Efficient Alert Correlation Platform for Distributed IDS

A Flexible and Efficient Alert Correlation Platform for Distributed IDS

Reducing the Cognitive Load on Analysts through Hamming Distance Based Alert Aggregation

An alert correlation platform for memory‐supported techniques

Contact Info

Product

Resources

About