Alarm Reduction and Correlation in Intrusion Detection Systems
Loading...
Date
2004-07
Journal Title
Journal ISSN
Volume Title
Publisher
Gesellschaft für Informatik
Abstract
Large Critical Complex Infrastructures are increasingly dependent on IP
networks. Reliability by redundancy and tolerance are an imperative for such
dependable networks. In order to achieve the desired reliability, the detection of
faults, misuse, and attacks is essential. This can be achieved by applying methods
of intrusion detection. However, in large systems, these methods produce an
uncontrollable vast amount of data which overwhelms human operators. This
paper studies the role of alarm reduction and correlation in existing networks for
building more intelligent safeguards that support and complement the decisions by
the operator. We present an architecture that incorporates Intrusion Detection
Systems as sensors, and provides quantitatively and qualitatively improved alarms
to the human operator. Alarm reduction via static and adaptive filtering,
aggregation, and correlation is demonstrated using realistic data from sensors such
as Snort, Samhain, and Syslog.
Description
Table of contents
Keywords
alarm correlation, alarm reduction, intrusion detection
Citation
Tobias Chyssler, Stefan Burschka, Michael Semling, Tomas Lingvall, Kalle Burbeck: Alarm Reduction and Correlation in Intrusion Detection Systems. In Flegel, U.; Meier, M. (Eds.): Proc. of the International GI Workshop on Detection of Intrusions and Malware & Vulnerability Assessment, number P-46 in Lecture Notes in Informatics, pp. 9-24, Dortmund, Germany, July 2004, Köllen Verlag; ISBN 3-88579-365-X.