
An Alert Correlation System with the Throughput of Multi-Thousands Events per Second

Mirheidari, Ali | 2013

476 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: English
  3. Document No: 45691 (52)
  4. University: Sharif University of Technology, International Campus, Kish Island
  5. Department: Science and Engineering
  6. Advisor(s): Jalili, Rasoul
  7. Abstract:
  8. With the growing deployment of host and network intrusion detection systems, analyzing generated alerts from these systems becomes critically important and challenging due to its complexity and high amount of data. Alert Correlation systems are a possible solution for deep analysis of incoming alerts in response to potential attacks against enterprise networks. Although several known alert correlation systems have been proposed for this purpose so far, most of them do not support high amount of input due to their centralized architecture. In this thesis, we propose a system architecture and approach for alert correlation to be extensible, flexible, and modular. The architecture encompasses three main components as: Collector, Correlation Engine, and Distributed Database. The correlation engine component employs a new algorithm to be able to handle multi-thousands of events per second. The algorithm benefits from all the famous three approaches in the literature: Similarity-based, Knowledge-based, and Statistical; to analyze the incoming alerts and generate meta-alerts. By employing the appropriate architecture as well as the correlation approach, we aim having a multi-thousands alert handling per second
  9. Keywords:
  10. Architecture ; Alert Correlation ; Throughput ; Meta-Alert ; Statistical Filters

 Digital Object List
