Distributed multistage alert correlation architecture based on Hadoop

2015 International Carnahan Conference on Security Technology (ICCST) Pub Date : 2015-09-01 DOI:10.1109/CCST.2015.7389673

J. Rees

{"title":"Distributed multistage alert correlation architecture based on Hadoop","authors":"J. Rees","doi":"10.1109/CCST.2015.7389673","DOIUrl":null,"url":null,"abstract":"There are three main approaches to design when implementing an alert correlation architecture; these are centralised, hierarchical, and decentralised. Centralised approaches benefit from simplicity of implementation and high algorithm expressiveness, but suffer in terms of scalability. The scalability issue is alleviated with hierarchical and decentralised approaches, but this comes at a cost of additional implementation complexity and lower algorithm quality. Introduced is a new alert correlation architecture based on Hadoop. The developed architecture allows for greater scalability whilst maintaining algorithm expressiveness and design simplicity. It incorporates alert aggregation, verification, and correlation components, which together provide for a clear and succinct view of potentially malicious activity. Each component was tested against a series of datasets that represent potential real world scenarios across a cluster of varying size. The results demonstrate that all components in the architecture have the ability to scale across many nodes in a cluster, allowing for the processing of large and complex attack scenarios in a timely manner.","PeriodicalId":292743,"journal":{"name":"2015 International Carnahan Conference on Security Technology (ICCST)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 International Carnahan Conference on Security Technology (ICCST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCST.2015.7389673","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

There are three main approaches to design when implementing an alert correlation architecture; these are centralised, hierarchical, and decentralised. Centralised approaches benefit from simplicity of implementation and high algorithm expressiveness, but suffer in terms of scalability. The scalability issue is alleviated with hierarchical and decentralised approaches, but this comes at a cost of additional implementation complexity and lower algorithm quality. Introduced is a new alert correlation architecture based on Hadoop. The developed architecture allows for greater scalability whilst maintaining algorithm expressiveness and design simplicity. It incorporates alert aggregation, verification, and correlation components, which together provide for a clear and succinct view of potentially malicious activity. Each component was tested against a series of datasets that represent potential real world scenarios across a cluster of varying size. The results demonstrate that all components in the architecture have the ability to scale across many nodes in a cluster, allowing for the processing of large and complex attack scenarios in a timely manner.

查看原文本刊更多论文

基于Hadoop的分布式多级预警关联架构

在实现警报关联架构时，有三种主要的设计方法;它们有集中式、分层式和分散式。集中式方法受益于实现的简单性和高算法表达性，但在可伸缩性方面受到影响。可扩展性问题可以通过分层和去中心化的方法得到缓解，但这是以额外的实现复杂性和较低的算法质量为代价的。介绍了一种新的基于Hadoop的预警关联架构。开发的体系结构允许更大的可伸缩性，同时保持算法的表现力和设计的简单性。它集成了警报聚合、验证和关联组件，它们一起提供了对潜在恶意活动的清晰而简洁的视图。每个组件都针对一系列数据集进行了测试，这些数据集代表了不同大小的集群中潜在的真实世界场景。结果表明，该体系结构中的所有组件都具有跨集群中的多个节点扩展的能力，从而能够及时处理大型复杂的攻击场景。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 International Carnahan Conference on Security Technology (ICCST)

自引率

0.00%

发文量