Integrating Alerts From Multiple Homogeneous Intrusion Detection Systems
| dc.contributor.advisor | Dr. Peng Ning, Committee Chair | en_US |
| dc.contributor.advisor | Dr. Rudra Dutta, Committee Member | en_US |
| dc.contributor.advisor | Dr. Douglas S. Reeves, Committee Member | en_US |
| dc.contributor.author | Serrano, Alfredo | en_US |
| dc.date.accessioned | 2010-04-02T17:58:12Z | |
| dc.date.available | 2010-04-02T17:58:12Z | |
| dc.date.issued | 2003-06-06 | en_US |
| dc.degree.discipline | Computer Science | en_US |
| dc.degree.level | thesis | en_US |
| dc.degree.name | MS | en_US |
| dc.description.abstract | Intrusion Detection is a relatively young area of research, begun in the early 1980's. Currently most intrusion detection systems (IDSs) produce a large number of alerts based on low level attacks or anomalies. More distressing is that a large number of alerts are false positives. The false alert rate becomes even more important as networks become larger. Effectively monitoring a large network requires the deployment of multiple intrusion detection systems at key points on the network. Yet, this deployment increases the number of alerts that administrators must attend to. In addition, since most IDSs produce alerts based on low-level attacks, they give no indication about the relationship between alerts. In this work, we describe a method for correlating intrusion alerts from low level alerts produced by multiple homogenous IDSs. Our technique extends the intrusion alert correlation technique developed at North Carolina State University, which uses an intrusion alert's prerequisites and consequences to construct high-level attack scenarios. The prerequisite of an alert specifies what must be true in order for the corresponding attack to be successful, and the consequences describe what can possibly be true if the attack succeeds. The extended technique relaxes the temporal constrains on alert from different IDSs to account for any possible timestamp inconsistencies (due to network delays, lack of system clock synchronization, host workload). Our correlation method reduces alert volume, and improves performance with reduction in false positives compared to uncorrelated alerts. Our correlation of alerts from multiple intrusion systems provides for an automated method to show not only the relationship between alerts from one IDS, but also the relationships between alerts from different IDSs. Therefore, our method gives a more complete view of attack scenarios. | en_US |
| dc.identifier.other | etd-05122003-173102 | en_US |
| dc.identifier.uri | http://www.lib.ncsu.edu/resolver/1840.16/761 | |
| dc.rights | I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. | en_US |
| dc.subject | Intrusion Detection | en_US |
| dc.subject | Alert Correlation | en_US |
| dc.subject | Intrusion Detection Systems | en_US |
| dc.subject | Security | en_US |
| dc.title | Integrating Alerts From Multiple Homogeneous Intrusion Detection Systems | en_US |
Files
Original bundle
1 - 1 of 1
