Integrating security operator knowledge and preferences to the alert correlation process

Author

Bouzar-Benlabiod, Lydia ; Benferhat, Salem ; Boubana-Tebibel, Thouraya

Author_Institution

Grad. Sch. (STIC), Nat. Sch. of Comput. (ESI), Algiers, Algeria

fYear

2010

fDate

3-5 Oct. 2010

Firstpage

416

Lastpage

420

Abstract

Intrusion Detection Systems (IDS) are necessary for the system monitoring. However they produce a huge quantity of alerts. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper we propose a new approach for alert correlation which enables the integration of new information to the alert correlation process: Security operator´s knowledge and preferences. This information concerns the monitoring system and the risk level of each alert in according for instance to the operator´s experiences. The representation and the reasoning on these knowledge and preferences are done using the Qualitative Choice Logic (QCL) and its extensions: Prioritized Qualitative Choice Logic (PQCL) and Positive Qualitative Choice Logic (QCL+). Experimental results are achieved on data from a real system monitoring. The result is a set of ordered alerts which satisfies operator´s criteria.

Keywords

computerised monitoring; security of data; alert correlation process; intrusion detection systems; positive qualitative choice logic; prioritized qualitative choice logic; security operator knowledge; security operator preferences; system monitoring; Cognition; Correlation; Intrusion detection; Monitoring; Polynomials; Quantum cascade lasers; IDS; QCL; alert correlation; knowledge; preferences;

fLanguage

English

Publisher

ieee

Conference_Titel

Machine and Web Intelligence (ICMWI), 2010 International Conference on

Conference_Location

Algiers

Print_ISBN

978-1-4244-8608-3

Type

conf

DOI

10.1109/ICMWI.2010.5648098

Filename

5648098