Title :
Alert Correlation Using Correlation Probability Estimation and Time Windows
Author :
Ahmadinejad, Seyed Hossein ; Jalili, Saeed
Author_Institution :
Comput. Eng. Dept., Tarbiat Modares Univ., Tehran, Iran
Abstract :
Intrusion detection systems (IDS) as a part of today´s networks raise millions of low-level alerts every day. Consequently, it is difficult for human to analyze them. Alert correlation techniques have been developed during recent years to decrease the number of alerts and provide a high-level abstraction of them for a network administrator. In this paper, we suggest a new method for correlating alerts based on their attributes. We use time windows along with a classification method to distinguish those received alerts that are correlated with the new alert. Time windows are applied for reducing the number of comparisons and improving the accuracy of correlation. Our experiments which were done on DARPA2000 show that while the cost of comparisons dropped noticeably, the correlation method performed accurately. Our method is not limited to known attack scenarios and does not need extra domain knowledge except for training the classifier.
Keywords :
computer networks; correlation methods; estimation theory; probability; telecommunication security; DARPA2000; alert correlation; classification method; correlation method; correlation probability estimation; intrusion detection system; network security; time windows; Correlation; Costs; Humans; Intrusion detection; Large-scale systems; Protection; Alert Correlation; Intrusion Detection; Network Security; Time Window;
Conference_Titel :
Computer Technology and Development, 2009. ICCTD '09. International Conference on
Conference_Location :
Kota Kinabalu
Print_ISBN :
978-0-7695-3892-1
DOI :
10.1109/ICCTD.2009.22
