| Search the Collection|Browse Subjects|Services|Library Information|Community |News & Events | |
|
|
|
|
|
|
|
|
||||
|
|||||||
Type of Document Master's Thesis Author Serrano, Alfredo , Author's Email Address aserran@unity.ncsu.edu URN etd-05122003-173102 Title INTEGRATING ALERTS FROM MULTIPLE HOMOGENEOUS INTRUSION DETECTION SYSTEMS Degree Master of Science Graduate Program Computer Science Advisory Committee
Advisor Name Title Dr. Peng Ning Committee Chair Dr. Douglas S. Reeves Committee Member Dr. Rudra Dutta Committee Member Keywords
- Intrusion Detection
- Alert Correlation
- Intrusion Detection Systems
- Security
Date of Defense 2003-04-17 Availability unrestricted Abstract Serrano, Alfredo. Integrating Alerts From Multiple Homogeneous Intrusion DetectionSystems. (Under the direction of Dr. Peng Ning.)
Intrusion Detection is a relatively young area of research, begun in the early 1980?s.
Currently most intrusion detection systems (IDSs) produce a large number of alerts based on
low level attacks or anomalies. More distressing is that a large number of alerts are false
positives. The false alert rate becomes even more important as networks become larger.
Effectively monitoring a large network requires the deployment of multiple intrusion
detection systems at key points on the network. Yet, this deployment increases the number
of alerts that administrators must attend to. In addition, since most IDSs produce alerts based
on low-level attacks, they give no indication about the relationship between alerts.
In this work, we describe a method for correlating intrusion alerts from low level alerts
produced by multiple homogenous IDSs. Our technique extends the intrusion alert
correlation technique developed at North Carolina State University, which uses an intrusion
alert?s prerequisites and consequences to construct high-level attack scenarios. The
prerequisite of an alert specifies what must be true in order for the corresponding attack to be
successful, and the consequences describe what can possibly be true if the attack succeeds.
The extended technique relaxes the temporal constrains on alert from different IDSs to
account for any possible timestamp inconsistencies (due to network delays, lack of system
clock synchronization, host workload).
Our correlation method reduces alert volume, and improves performance with reduction in
false positives compared to uncorrelated alerts. Our correlation of alerts from multiple
intrusion systems provides for an automated method to show not only the relationship
between alerts from one IDS, but also the relationships between alerts from different IDSs.
Therefore, our method gives a more complete view of attack scenarios.
Files
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access etd.pdf 2.94 Mb 00:13:36 00:06:59 00:06:07 00:03:03 00:00:15