Fusing A Heterogeneous Alert Stream Into Scenarios

Dain, Oliver; Cunningham, Robert K.

doi:10.1007/978-1-4615-0953-0_5

Cited by 141 publications

(127 citation statements)

References 1 publication

Supporting

Mentioning

125

Contrasting

Unclassified

Order By: Relevance

“…Most of the previous works [2], [3], [5], [6], [7] of alert clustering for finding structural correlation required strong dependencies on SE in developing and/or maintaining their correlation system. They either need pre-defined rules or human expert knowledge to manage and analyze the intrusion alerts.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis

Siraj¹,

Maarof²,

Hashim³

2009

IJCTE

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

“…For instance, algorithm introduced by [5] required a significant amount of alerts to be managed manually (i.e., hand-clustered) beforehand. Likewise, system by [2] properties to assist the clustering algorithm.…”

Section: Related Workmentioning

confidence: 99%

A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis

Siraj¹,

Maarof²,

Hashim³

2009

IJCTE

View full text Add to dashboard Cite

“…These problems make the reports from IDSs very hard to understand and manage. Many researchers and vendors have proposed various alert correlation techniques (e.g., [6,7,15]) to make large numbers of IDS alerts more understandable and at the same time reduce the impact of false positives and false negatives.…”

Section: Introductionmentioning

confidence: 99%

Integrating IDS Alert Correlation and OS-Level Dependency Tracking

Zhai

Ning

2006

Intelligence and Security Informatics

View full text Add to dashboard Cite

Abstract. Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. However, the performance of correlation is undermined by the imperfectness of intrusion detection techniques. Falsely correlated alerts can be misleading to analysis. This paper presents a practical technique to improve alert correlation by integrating alert correlation techniques with OS-level object dependency tracking. With the support of more detailed and precise information from OS-level event logs, higher accuracy in alert correlation can be achieved. The paper also discusses the application of such integration in improving the accuracy of hypotheses about possibly missed attacks while reducing the complexity of the hypothesizing process. A series of experiments are performed to evaluate the effectiveness of the methods, and the results demonstrate significant improvements on correlation results with the proposed techniques.

show abstract

“…Similar approaches, with similar strengths and shortcomings but different formalisms, have been tried with the specification of pre-and post-conditions of the attacks [4], sometimes along with time-distance criteria [5]. It is possible to mine scenario rules directly from data, either in a supervised [6] or unsupervised [7] fashion. Both approaches use alert classifications as part of their rules.…”

Section: Problem Statement and State Of The Artmentioning

confidence: 99%

On the Use of Different Statistical Tests for Alert Correlation – Short Paper

Maggi

Zanero

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.In this paper we analyze the use of different types of statistical tests for the correlation of anomaly detection alerts. We show that the Granger Causality Test, one of the few proposals that can be extended to the anomaly detection domain, strongly depends on good choices of a parameter which proves to be both sensitive and difficult to estimate. We propose a different approach based on a set of simpler statistical tests, and we prove that our criteria work well on a simplified correlation task, without requiring complex configuration parameters.

show abstract

Fusing A Heterogeneous Alert Stream Into Scenarios

Cited by 141 publications

References 1 publication

A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis

A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis

Integrating IDS Alert Correlation and OS-Level Dependency Tracking

On the Use of Different Statistical Tests for Alert Correlation – Short Paper

Contact Info

Product

Resources

About