文章基本信息

标题：Online Intrusion Alert Aggregation with Generative Data Stream Modeling
本地全文：下载
作者：M. Hanock ; K. Srinivas ; A. Yaganteeswarudu 等
期刊名称：International Journal of Electronics and Computer Science Engineering
电子版ISSN：2277-1956
出版年度：2012
卷号：1
期号：4
页码：2261-2269
出版社：Buldanshahr : IJECSE
摘要：Alert aggregation is an important subtask of intrusion detection. The goal is to identify and to cluster different alerts—produced by low-level intrusion detection systems, firewalls, etc.—belonging to a specific attack instance which has been initiated by an attacker at a certain point in time. Thus, meta-alerts can be generated for the clusters that contain all the relevant information whereas the amount of data (i.e., alerts) can be reduced substantially. Meta-alerts may then be the basis for reporting to security experts or for communication within a distributed intrusion detection system. We propose a novel technique for online alert aggregation w hich is based on a dynamic, probabilistic model of the current attack situation. Basically, it can be regarded as a data stream version of a maximum likelihood approach for the estimation of the model parameters. With three benchmark data sets, we demonstrate that it is possible to achieve reduction rates of up to 99.96 percent while the number of missing meta-alerts is extremely low. In addition, meta-alerts are generated with a delay of typically only a few seconds after observing the first alert belonging to a new attack instance