Design and implementation of a distributed IDS alert aggregation model

Author

Fan, Guo ; Jihua, Ye ; Min, Yu

Author_Institution

Coll. of Comput. Inf. Eng., Jiangxi Normal Univ., Nanchang, China

fYear

2009

fDate

25-28 July 2009

Firstpage

975

Lastpage

980

Abstract

How to aggregate and reduce duplicated alerts from different IDSs is one of the most important problems in distributed IDS research area. The article proposes a distributed alert aggregation model composed of local components and network components. Local components transform raw alerts originating from traditional IDSs to IDMEF-based alerts with uniform format, which are sent to network components. Network components aggregate similar alerts into a meta-alert, using an aggregation algorithm based on category and feature similarity. A subscription-based communication mechanism is and multiple kinds of messages are also proposed to meet the demands of the communication between the components and to realize information share in the whole network. Experiments on DARPA99 data set indicated the effectiveness of the model.

Keywords

distributed processing; security of data; alert aggregation model; distributed IDS; distributed intrusion detection system; network components; subscription-based communication mechanism; Aggregates; Algorithm design and analysis; Computer science; Computer science education; Design engineering; Distributed computing; Distributed databases; Educational institutions; Intrusion detection; Spatial databases; Alert Aggregation; Feature Similarity; IDS;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Science & Education, 2009. ICCSE '09. 4th International Conference on

Conference_Location

Nanning

Print_ISBN

978-1-4244-3520-3

Electronic_ISBN

978-1-4244-3521-0

Type

conf

DOI

10.1109/ICCSE.2009.5228172

Filename

5228172