Title :
Necessary conditions for determining a robust time threshold in standard INFOSEC alert clustering algorithms
Author :
Neville, Stephen W.
Author_Institution :
Dept. Electr. & Comput. Eng., Victoria Univ., BC, Canada
Abstract :
The standard INFOSEC alert clustering algorithms use a predetermined fixed time threshold for specifying the maximum duration over which new INFOSEC alerts can be added to existing alert clusters. Since these alert clusters are the basis of further alert correlation processing, an important question is can this time threshold be set robustly, in the sense that an optimal value can be found that is independent of the attackers´ actions. In this work the necessary conditions for such a robust threshold to be determined are derived. That these conditions cannot be assumed to hold for operational real world deployments of alert clustering systems in large scale networks is then discussed.
Keywords :
pattern clustering; security of data; INFOSEC alert clustering algorithm; alert clustering system; alert correlation processing; large scale network; predetermined fixed time threshold; robust time threshold; Clustering algorithms; Current measurement; Delay; Feedback; Fusion power generation; Information analysis; Information security; Large-scale systems; Measurement standards; Robustness; INFOSEC alerts; alert clustering; large-scale networks; time thresholds;
Conference_Titel :
Systems, Man and Cybernetics, 2005 IEEE International Conference on
Print_ISBN :
0-7803-9298-1
DOI :
10.1109/ICSMC.2005.1571243
