Case-oriented alert correlation
作者: Daniel G. Schwartz , Jidong Long
DOI:
关键词:
摘要: Correlating alerts is of importance for identifying complex attacks and discarding false alerts. Most popular alert correlation approaches employ some well-defined knowledge to uncover the connections among However, acquiring, representing justifying such has turned out be a nontrivial task. In this paper, we propose novel method work around these difficulties by using case-based reasoning (CBR). our application, case, constructed from training data, serves as an example correlated It consists pattern caused attack identity attack. The runtime stream then compared with each see if any subset are similar in case. process reduced matching problem. Two kinds methods were explored. latter much more efficient than former. Our experiments DARPA Grand Challenge Problem simulator have shown that both produce almost same results case-oriented effective detecting intrusions.
参考文章(15)
Sara Stoecklin, Daniel G. Schwartz, Jidong Long, An XML Distance Measure. DMIN. pp. 119- 125 ,(2005)
Rein Luus, Iterative Dynamic Programming ,(2000)
Hervé Debar, Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts recent advances in intrusion detection. pp. 85- 103 ,(2001) , 10.1007/3-540-45474-8_6
K. Julisch, Mining alarm clusters to improve alarm handling efficiency annual computer security applications conference. pp. 12- 21 ,(2001) , 10.1109/ACSAC.2001.991517
Phillip A. Porras, Martin W. Fong, Alfonso Valdes, A mission-impact-based approach to INFOSEC alarm correlation recent advances in intrusion detection. pp. 95- 114 ,(2002) , 10.1007/3-540-36084-0_6
F. Cuppens, Managing alerts in a multi-intrusion detection environment annual computer security applications conference. pp. 22- 31 ,(2001) , 10.1109/ACSAC.2001.991518
Alan Bundy, Artificial Intelligence Techniques: A Comprehensive Catalogue ,(1996)
Benjamin Morin, Hervé Debar, Correlation of Intrusion Symptoms: An Application of Chronicles recent advances in intrusion detection. pp. 94- 112 ,(2003) , 10.1007/978-3-540-45248-5_6
Lundy M. Lewis, A Case-Based Reasoning Approach to the Resolution of Faults in Communication Networks integrated network management. pp. 671- 682 ,(1993)
Steven J. Templeton, Karl Levitt, A requires/provides model for computer attacks new security paradigms workshop. pp. 31- 38 ,(2001) , 10.1145/366173.366187