Loading...

Historical Alert Analysis in Host-based Intrusion Detection

Ashouri, Morteza | 2009

661 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 40707 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Abolhassani, Hassan
  7. Abstract:
  8. In the last decade, Intrusion Detection Systems has attracted attention due to their importance in network security, but still they've shortcomings. Generating a lot of low level alerts is the main problem. Many of these alerts are actually false positives. One suggested solution is Alert Correlation Analysis. Because of false positives alert correlation techniques are not able to build accurate scenarios, but the accuracy of alerts can be verified with the aid of the information logged in the host systems. In this dissertation after surveying the current alert correlation techniques, a model will be introduced to effectively verify the generated alerts and to apply correlation techniques to alerts with higher correctness probability. The presented model contains two steps: First the unrelated alerts are identified, using the information in the network and its policies, and then, by the use of statistical alert correlation methods, the alerts correlated with the unrelated alerts are also marked as unrelated. The marked alerts are filtered at the end of this step. The second step begins with the verification of the alerts with the logs generated in the host system. Next, verified alerts are correlated, a graph will be constructed from each scenario, and a priority and an accuracy value will be determined from alerts present in each graph. The priority and accuracy values are used by the network administrator to plan acts against the attacks.


  9. Keywords:
  10. Intrusion Detection System ; Alert Correlation ; False Alarm ; Data Mining

 Digital Object List

 Bookmark

No TOC