University of Khartoum

An Improved Framework for Collaborative Intrusion Alert Correlation

An Improved Framework for Collaborative Intrusion Alert Correlation

Show full item record

Title: An Improved Framework for Collaborative Intrusion Alert Correlation
Author: Elshoush, Huwaida Tagelsir Ibrahim
Abstract: Many of the weaknesses in traditional intrusion detection systems (IDSs) are due to the lack of collaborations among di erent detection mechanisms, and between intrusion detection and other network management operations and security mech- anisms. Therefore, a collaborative intrusion detection system (CIDS) architecture is introduced. The focus in this thesis is on correlation of collaborative intelligent intrusion detection system (CIIDS) alerts. Automation of alert management and analysis is crucial because of the large number of alerts. Alert correlation analyzes the alerts from one or more collab- orative intrusion detection systems and aims to relate di erent alerts to build a big picture of the attack, thus giving a high-level view of the network security status. The correlation process consists of multiple components, each responsible for a di erent aspect of the overall correlation goal. The sequential order of the correlation components a ects the correlation process performance. Moreover, the performance of the correlation process is signi cantly a ected by the network topology, the characteristics of the attack and the available meta-data. Further- more, the total time needed for the whole process depends on the number of processed alerts in each component. This thesis presents an innovative alert correlation framework that minimizes iv the number of processed alerts on each component and thus reducing the correla- tion processing time. By reordering the components, the introduced correlation model reduces the number of processed alerts as early as possible by discarding the irrelevant, unreal and false alerts in the early phases of the correlation pro- cess. A new component, shushing the alerts, is added to deal with the unrelated and false positive alerts. Any alert that is not correlated after being processed by a number of components is deliberately removed. An algorithm for this new component is presented. A modi ed algorithm for fusing the alerts is outlined. The intruders intention is grouped into attack scenarios and the expert knowledge database is hence updated frequently if needed. Thus, by updating the expert knowledge database, the attack scenarios can be used to detect future attacks. Therefore, by diverting more resources to deal with high risk/priority alerts to be correlated, the e ectiveness of alert correlation is signi cantly improved. DARPA 2000 intrusion detection scenario speci c datasets and a testbed net- work were used to evaluate the innovative alert correlation model. Comparisons with a previous correlation system were performed. The results of processing these datasets and recognizing the attack patterns demonstrated the potential of the improved correlation model and gave favorable results.
URI: http://khartoumspace.uofk.edu/123456789/25985


Files in this item

Files Size Format View

This item appears in the following Collection(s)

Show full item record

Share

Search DSpace


Browse

My Account