Title :
On the sufficiency of time-based correlation for signature-based IDS alerts
Author :
Neville, Stephen W.
Author_Institution :
Dept. of Electr. & Comput. Eng., Victoria Univ., BC, Canada
Abstract :
Intrusion detection system (IDS) alert correlation is becoming an important tool in dealing with the overwhelming data volumes produced by operational deployments of heterogeneous IDS systems. This work looks at the issue of under what conditions time correlation is a sufficient approach to this problem in the sense that it does not introduce erroneous alert dusters. A formal framework for signature-based IDS event detection is developed to aid this discussion. Through this framework it is shown that, even for the simplest case of a single isolated attack, time correlation is not a sufficient approach for noncoincidently located heterogeneous sensors due to the nondeterministic nature of network propagation delays. An approach is then discussed to include additional information about the knowledge domains of the respective IDS sensors, at a per trigger level, to improve the correlation accuracy.
Keywords :
handwriting recognition; safety systems; sensors; telecommunication security; correlation accuracy improvement; data volume overwhelming; event detection; heterogeneous IDS system; heterogeneous sensor; intrusion detection system; network propagation delay; signature-based IDS alert; time-based correlation; Clocks; Computer networks; Failure analysis; Intrusion detection; Large-scale systems; Observability; Payloads; Propagation delay; Statistics; Telecommunication traffic;
Conference_Titel :
Communications, Computers and signal Processing, 2003. PACRIM. 2003 IEEE Pacific Rim Conference on
Print_ISBN :
0-7803-7978-0
DOI :
10.1109/PACRIM.2003.1235911
