Applying Data Fusion in Collaborative Alerts Correlation

2008 International Symposium on Computer Science and Computational Technology Pub Date : 2008-12-20 DOI:10.1109/ISCSCT.2008.38

Xin Zhuang, Debao Xiao, Xuejiao Liu, Yugang Zhang

{"title":"Applying Data Fusion in Collaborative Alerts Correlation","authors":"Xin Zhuang, Debao Xiao, Xuejiao Liu, Yugang Zhang","doi":"10.1109/ISCSCT.2008.38","DOIUrl":null,"url":null,"abstract":"Due to various network intrusions, network security has always been a main concern of the network administrator. However, nowadays traditional security tools like IDSs, firewalls etc cannot play the roles of effective defense mechanisms. Instead, they only generate elementary alerts to form alert flooding and they often have high false alerts rates. Moreover due to their weak collaboration-awareness, they cannot detect large distributed attacks such as a DDoS attack. In this paper, we present an efficient and effective model for collaborative alerts analyzing. Our system enhances the alert verification using assets¿ contextual information. By applying alert fusion and using a precisely defined knowledge base in the correlation phase, it also provides a method to get general and synthetic alerts from the large volume of elementary alerts. Moreover, this system is able to reconstruct the attack scenarios for multi-step attacks. Experiments show the system can effectively distinguish false positives, detect and predicate large-scale attacks in their early stage.","PeriodicalId":228533,"journal":{"name":"2008 International Symposium on Computer Science and Computational Technology","volume":"130 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-12-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 International Symposium on Computer Science and Computational Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCSCT.2008.38","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

Due to various network intrusions, network security has always been a main concern of the network administrator. However, nowadays traditional security tools like IDSs, firewalls etc cannot play the roles of effective defense mechanisms. Instead, they only generate elementary alerts to form alert flooding and they often have high false alerts rates. Moreover due to their weak collaboration-awareness, they cannot detect large distributed attacks such as a DDoS attack. In this paper, we present an efficient and effective model for collaborative alerts analyzing. Our system enhances the alert verification using assets¿ contextual information. By applying alert fusion and using a precisely defined knowledge base in the correlation phase, it also provides a method to get general and synthetic alerts from the large volume of elementary alerts. Moreover, this system is able to reconstruct the attack scenarios for multi-step attacks. Experiments show the system can effectively distinguish false positives, detect and predicate large-scale attacks in their early stage.

查看原文本刊更多论文

数据融合在协同警报关联中的应用

由于各种各样的网络入侵，网络安全一直是网络管理员关注的主要问题。然而，目前传统的安全工具如入侵防御系统、防火墙等并不能起到有效的防御机制作用。相反，它们只产生基本的警报来形成警报泛滥，而且它们经常有很高的误报率。此外，由于它们的协作意识较弱，因此无法检测大型分布式攻击，例如DDoS攻击。本文提出了一种高效的协同警报分析模型。我们的系统使用资产上下文信息增强警报验证。通过应用警报融合和在关联阶段使用精确定义的知识库，提供了一种从大量基本警报中获得一般警报和综合警报的方法。此外，该系统能够重构多步攻击的攻击场景。实验表明，该系统能够有效地识别假阳性，在大规模攻击的早期检测和预测。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2008 International Symposium on Computer Science and Computational Technology

自引率

0.00%

发文量