Ayman E. Taha, I. A. Ghaffar, A. Eldin, Hani M. K. Mahdi
{"title":"基于Agent的入侵检测告警关联模型","authors":"Ayman E. Taha, I. A. Ghaffar, A. Eldin, Hani M. K. Mahdi","doi":"10.1109/ISI.2010.5484771","DOIUrl":null,"url":null,"abstract":"Alert correlation is a promising technique in intrusion detection. It analyzes the alerts from one or more intrusion detection system and provides a compact summarized report and high-level view of attempted intrusions which highly improves security effectiveness. Correlation component is a procedure which aggregates alerts according to certain criteria. The aggregated alerts could have common features or represent steps of pre-defined scenario attacks. Correlation approaches composed of a single component or a comprehensive set of components. The effectiveness of a component depends heavily on the nature of the dataset analyzed. The order of correlation component will affect the correlation process performance. Moreover not all components should be used for different dataset. This paper presents an agent-based alert correlation model. Learning agent learns the nature of dataset within a network then guides the whole correlation process and components in such a suitable way of which components could be used and in which order. The model improves the performance of correlation process by selecting the proper components to be used. This model assures minimum alerts to be processed on each component depending on the dataset and minimum time for correlation process.","PeriodicalId":434501,"journal":{"name":"2010 IEEE International Conference on Intelligence and Security Informatics","volume":"4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":"{\"title\":\"Agent based correlation model for intrusion detection alerts\",\"authors\":\"Ayman E. Taha, I. A. Ghaffar, A. Eldin, Hani M. K. Mahdi\",\"doi\":\"10.1109/ISI.2010.5484771\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Alert correlation is a promising technique in intrusion detection. It analyzes the alerts from one or more intrusion detection system and provides a compact summarized report and high-level view of attempted intrusions which highly improves security effectiveness. Correlation component is a procedure which aggregates alerts according to certain criteria. The aggregated alerts could have common features or represent steps of pre-defined scenario attacks. Correlation approaches composed of a single component or a comprehensive set of components. The effectiveness of a component depends heavily on the nature of the dataset analyzed. The order of correlation component will affect the correlation process performance. Moreover not all components should be used for different dataset. This paper presents an agent-based alert correlation model. Learning agent learns the nature of dataset within a network then guides the whole correlation process and components in such a suitable way of which components could be used and in which order. The model improves the performance of correlation process by selecting the proper components to be used. This model assures minimum alerts to be processed on each component depending on the dataset and minimum time for correlation process.\",\"PeriodicalId\":434501,\"journal\":{\"name\":\"2010 IEEE International Conference on Intelligence and Security Informatics\",\"volume\":\"4 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-05-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"23\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2010 IEEE International Conference on Intelligence and Security Informatics\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISI.2010.5484771\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE International Conference on Intelligence and Security Informatics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISI.2010.5484771","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Agent based correlation model for intrusion detection alerts
Alert correlation is a promising technique in intrusion detection. It analyzes the alerts from one or more intrusion detection system and provides a compact summarized report and high-level view of attempted intrusions which highly improves security effectiveness. Correlation component is a procedure which aggregates alerts according to certain criteria. The aggregated alerts could have common features or represent steps of pre-defined scenario attacks. Correlation approaches composed of a single component or a comprehensive set of components. The effectiveness of a component depends heavily on the nature of the dataset analyzed. The order of correlation component will affect the correlation process performance. Moreover not all components should be used for different dataset. This paper presents an agent-based alert correlation model. Learning agent learns the nature of dataset within a network then guides the whole correlation process and components in such a suitable way of which components could be used and in which order. The model improves the performance of correlation process by selecting the proper components to be used. This model assures minimum alerts to be processed on each component depending on the dataset and minimum time for correlation process.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
