Open AccessIntrusion Alert Correlation to Support Security Management
Author(s) -
Cláudio Toshio Kawakani,
Sylvio Barbon,
Rodrigo Sanches Miani,
Michel Cukier,
Bruno Bogaz Zarpel�ão
Publication year - 2016
Publication title -
anais do simpósio brasileiro de sistemas de informação (sbsi)
Language(s) - English
Resource type - Conference proceedings
DOI - 10.5753/sbsi.2016.5977
Subject(s) - computer science , intrusion detection system , cluster analysis , task (project management) , attack patterns , set (abstract data type) , event (particle physics) , computer security , data mining , information security , security information and event management , intrusion , machine learning , cloud computing security , cloud computing , engineering , physics , systems engineering , quantum mechanics , programming language , geochemistry , geology , operating system
To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most typical strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real data set from the University of Maryland. The results show that the proposed approach can provide useful information for security administrators and may reduce the time between a security event and the response.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom