Abstract
Alert correlation analyzes the alerts from one or more Collaborative Intrusion Detection Systems (CIDSs) to produce a concise overview of security-related activity on the network. The correlation process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequential order of the correlation components affects the correlation process performance. Furthermore, the total time needed for the whole process depends on the number of processed alerts in each component. This paper presents an innovative alert correlation framework that minimizes the number of processed alerts on each component and thus reducing the correlation processing time. By reordering the components, the introduced correlation model reduces the number of processed alerts as early as possible by discarding the irrelevant, unreal and false alerts in the early phases of the correlation process. A new component, shushing the alerts, is added to deal with the unrelated and false positive alerts. A modified algorithm for fusing the alerts is outlined. The intruders’ intention is grouped into attack scenarios and thus used to detect future attacks. DARPA 2000 intrusion detection scenario specific datasets and a testbed network were used to evaluate the innovative alert correlation model. Comparisons with a previous correlation system were performed. The results of processing these datasets and recognizing the attack patterns demonstrated the potential of the improved correlation model and gave favorable results.
Highlights
Intrusion Detection Systems (IDSs) play an essential role in minimizing the damage caused by different attacks
A Collaborative Intelligent Intrusion Detection System (CIIDS) is proposed to include both misuse- and anomaly-based techniques, since it is concluded from recent research that the performance of an individual
This paper presents an innovative alert correlation framework based on a Collaborative Intelligent Intrusion Detection System (CIIDS) architecture
Summary
Intrusion Detection Systems (IDSs) play an essential role in minimizing the damage caused by different attacks. Even when different detection methods are used, they analyze each other’s alerts and reduce false positive alerts [1][2] It has been proven by many researchers that collaborative approaches are more powerful and give better performance over individual approaches. Deploying multiple IDSs might generate a huge number of alerts, where many are redundant, irrelevant and false positive alerts. Correlation aims to relate a group of alerts to build a big picture of the attacks, can be used to trace an attack to its source The core of this process consists of components that implement specific function, which operate on different spatial and temporal properties [5]. An innovative framework focuses on reordering the correlation components such that redundant, irrelevant and false alerts are reduced as early as possible reducing the number of processed alerts to enhance the performance.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
