Affiliation:
1. Austrian Institute of Technology, Vienna, Austria
2. Vienna University of Technology, Vienna, Austria
Abstract
Intrusion Detection Systems (IDS)
secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed for filtering, grouping, and correlating alerts. However, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF that include IP addresses. This makes the application of existing aggregation methods infeasible for alerts from host-based or anomaly-based IDSs that frequently lack such network-related data. In this paper, we therefore present a domain-independent alert aggregation technique. We introduce similarity measures and merging strategies for arbitrary semi-structured alerts and alert groups. Based on these metrics and techniques we propose an incremental procedure for the generation of abstract alert patterns that enable continuous classification of incoming alerts. Evaluations show that our approach is capable of reducing the number of alert groups for human review by around
\( 80\% \)
and assigning attack classifiers to the groups with true positive rates of
\( 80\% \)
and false positive rates lower than
\( 5\% \)
.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,General Computer Science
Reference40 articles.
1. Intrusion detection alarms reduction using root cause analysis and clustering
2. Feature Selection Using Information Gain for Improved Structural-Based Alert Correlation
3. Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack;Alserhani Faeiz;International Journal of Advanced Studies in Computers, Science and Engineering,2016
4. Using artificial immune system and fuzzy logic for alert correlation.;Bateni Mehdi;International Journey of Network Security,2013
5. Ingwer Borg and Patrick Groenen. 2005. Modern Multidimensional Scaling: Theory and Applications. Springer Science & Business Media.
Cited by
17 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Introducing a New Alert Data Set for Multi-Step Attack Analysis;Proceedings of the 17th Cyber Security Experimentation and Test Workshop;2024-08-13
2. NEWSROOM: Towards Automating Cyber Situational Awareness Processes and Tools for Cyber Defence;Proceedings of the 19th International Conference on Availability, Reliability and Security;2024-07-30
3. Finding Harmony in the Noise: Blending Security Alerts for Attack Detection;Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing;2024-04-08
4. CySecBERT
: A Domain-Adapted Language Model for the Cybersecurity Domain;ACM Transactions on Privacy and Security;2024-04-08
5. A survey on intelligent management of alerts and incidents in IT services;Journal of Network and Computer Applications;2024-04