Agent based correlation model for intrusion detection alerts

Taha, Ayman; Ghaffar, Ismail Abdel; Bahaa-Eldin, Ayman M.; Mahdi, Hani

doi:10.1109/isi.2010.5484771

Cited by 18 publications

(10 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [28], Taha et al presented an agent-based alert correlation model. A learning agent learns the nature of dataset to select which components to be used and in which order.…”

Section: Related Workmentioning

confidence: 99%

Reducing the Correlation Processing Time by Using a Novel Intrusion Alert Correlation Model

Elshoush¹

2014

SpecialIssue

View full text Add to dashboard Cite

Abstract-Alert correlation analyzes the alerts from one or more Collaborative Intrusion Detection Systems (CIDSs) to produce a concise overview of security-related activity on the network. The correlation process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequential order of the correlation components affects the correlation process performance. Furthermore, the total time needed for the whole process depends on the number of processed alerts in each component. This paper presents an innovative alert correlation framework that minimizes the number of processed alerts on each component and thus reducing the correlation processing time. By reordering the components, the introduced correlation model reduces the number of processed alerts as early as possible by discarding the irrelevant, unreal and false alerts in the early phases of the correlation process. A new component, shushing the alerts, is added to deal with the unrelated and false positive alerts. A modified algorithm for fusing the alerts is outlined. The intruders' intention is grouped into attack scenarios and thus used to detect future attacks. DARPA 2000 intrusion detection scenario specific datasets and a testbed network were used to evaluate the innovative alert correlation model. Comparisons with a previous correlation system were performed. The results of processing these datasets and recognizing the attack patterns demonstrated the potential of the improved correlation model and gave favorable results.

show abstract

“…In [28], Taha et al presented an agent-based alert correlation model. A learning agent learns the nature of dataset to select which components to be used and in which order.…”

Section: Related Workmentioning

confidence: 99%

Reducing the Correlation Processing Time by Using a Novel Intrusion Alert Correlation Model

Elshoush¹

2014

SpecialIssue

View full text Add to dashboard Cite

show abstract

Section: Problems Of Intrusion Detection Systemmentioning

confidence: 99%

“…First, IDSs may generate overwhelmingly large numbers of alerts which makes it impossible to correlate them in order to discover their causal relationships [10][11][12][13]. Besides that, IDSs also suffer from producing almost 96% of false positives alerts [14] and among them are mixed with true ones [10,11,13]. Furthermore, IDSs may miss certain attacks especially in multi-step attacks which require network security experts to manually analyze the causal relationships between continuous attack alerts [10][11][12][13]15].…”

Section: Problems Of Intrusion Detection Systemmentioning

confidence: 99%

A Comparative Study of Alert Correlations for Intrusion Detection

Leau

Ramadass

Manickam

et al. 2013

2013 International Conference on Advanced Computer Science Applications and Technologies

View full text Add to dashboard Cite

The prevalent use of computer applications and communication technologies has rising the numbers of network intrusion attempts. These malicious attempts including hacking, botnets and works are pushing organization networks to a risky atmosphere where the intruder tries to compromise the confidentiality, integrity and availability of resources. In order to detect these malicious activities, Intrusion Detection Systems (IDSs) have been widely deployed in corporate networks. IDSs play an important role in monitoring traffic behaviors in a computer network, identifying the anomalous activity and notifying the security analyst with current network status. Unfortunately, one of the IDSs' drawbacks is they produce a large number of false positives and nonrelevant positives alerts that could overwhelm the security analyst. Therefore, the process of analyzing alerts in order to provide a more synthetic and high-level view of the attempted intrusions is needed. This process is called Alert Correlation. In this paper, we present commonly used alert correlation approaches and highlight their advantages and disadvantages from various perspectives. Subsequently, we summarize some current alert correlation models with their alert correlation approach.

show abstract

“…Efforts for IDSs are generally classified into the following categories: (1) statistical features analysis approaches, correlation analysis [2] signal processing techniques [3] (2) AI, rule-based system, agent-based approaches [4] [5] and (3) data mining-based approaches [6] [7] [8] [9].…”

Section: Introductionmentioning

confidence: 99%

An immunology-inspired multi-engine anomaly detection system with hybrid particle swarm optimisations

Jiang

Ling

Chan

et al. 2012

2012 IEEE International Conference on Fuzzy Systems

View full text Add to dashboard Cite

In this paper, multiple detection engines with multilayered intrusion detection mechanisms are proposed for enhancing computer security. The principle is to coordinate the results from each single-engine intrusion alert system, which seamlessly integrates with a multiple layered distributed service-oriented structure. An improved hidden Markov model (HMM) is created for the detection engine which is capable of the immunologybased self/nonself discrimination. The classifications of normal and abnormal behaviours of system calls are further examined by an advanced fuzzy-based inference process tuned by HPSOWM. Considering a real benchmark dataset from the public domain, our experimental results show that the proposed scheme can greatly shorten the training time of HMM and significantly reduce the false positive rate. The proposed HPSOWM works especially well for the efficient classification of unknown behaviors and malicious attacks.

show abstract

Agent based correlation model for intrusion detection alerts

Cited by 18 publications

References 6 publications

Reducing the Correlation Processing Time by Using a Novel Intrusion Alert Correlation Model

Reducing the Correlation Processing Time by Using a Novel Intrusion Alert Correlation Model

A Comparative Study of Alert Correlations for Intrusion Detection

An immunology-inspired multi-engine anomaly detection system with hybrid particle swarm optimisations

Contact Info

Product

Resources

About