Title :
A framework for multi-stage attack detection
Author :
Alserhani, Faeiz
Author_Institution :
Commun. & Inf. Security Dept., King Fahd Security Coll., Saudi Arabia
Abstract :
Network Intrusion Detection Systems (NIDS) are considered as essential mechanisms to ensure reliable security. In an intrusion detection context, none of the main detection approaches (signature-based and anomaly-based) are fully satisfactory. False positives (detected non-attacks) and false negatives (non-detected attacks) are the major limitations of such systems. The generated alerts are elementary and in huge numbers. Hence, alert correlation techniques are used to provide a complementary analysis to link elementary alerts and provide a more global intrusion view. We propose an alert correlation and aggregation framework based on requires/provides model. The objective is to discover the logical relationships between atomic alerts potentially incorporated in multi-stage attacks. The obtained results illustrate that the proposed system can effectively detect coordinated attack with minimum false positives.
Keywords :
computer network security; aggregation framework; alert correlation technique; atomic alerts; coordinated attack detection; global intrusion view; link elementary alert; logical relationship; minimum false positive; multistage attack detection; network intrusion detection systems; provides model; requires model; Abstracts; Correlation; Engines; IP networks; Knowledge based systems; Mars; Security; Alerts correlation; Network intrusion detection systems; multi-stage attack;
Conference_Titel :
Electronics, Communications and Photonics Conference (SIECPC), 2013 Saudi International
Conference_Location :
Fira
Print_ISBN :
978-1-4673-6196-5
Electronic_ISBN :
978-1-4673-6194-1
DOI :
10.1109/SIECPC.2013.6550973
