A Generic Intrusion Detection and Diagnoser System Based on Complex Event Processing

Author

Ficco, Massimo ; Romano, Luigi

Author_Institution

Dept. of Inf. Eng., Seconda Univ. di Napoli, Aversa, Italy

fYear

2011

fDate

21-24 June 2011

Firstpage

275

Lastpage

284

Abstract

This work presents a generic Intrusion Detection and Diagnosis System, which implements a comprehensive alert correlation workflow for detection and diagnosis of complex intrusion scenarios in Large scale Complex Critical Infrastructures. The on-line detection and diagnosis process is based on an hybrid and hierarchical approach, which allows to detect intrusion scenarios by collecting diverse information at several architectural levels, using distributed security probes, as well as perform complex event correlation based on a Complex Event Processing Engine. The escalation process from intrusion symptoms to the identified target and cause of the intrusion is driven by a knowledge-base represented by an ontology. A prototype implementation of the proposed Intrusion Detection and Diagnosis framework is also presented.

Keywords

knowledge based systems; ontologies (artificial intelligence); security of data; complex event correlation; complex event processing engine; comprehensive alert correlation workflow; diagnoser system; distributed security probes; escalation process; generic intrusion detection; hierarchical approach; hybrid approach; intrusion symptoms; knowledge-base system; large scale complex critical infrastructures; online detection; ontology; Correlation; Engines; Knowledge based systems; Monitoring; Probes; Security; Software; attack scenario recognition; complex event processing; diagnosis; intrusion detection system;

fLanguage

English

Publisher

ieee

Conference_Titel

Data Compression, Communications and Processing (CCP), 2011 First International Conference on

Conference_Location

Palinuro

Print_ISBN

978-1-4577-1458-0

Electronic_ISBN

978-0-7695-4528-8

Type

conf

DOI

10.1109/CCP.2011.43

Filename

6061035