Abstract
To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most typical strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real data set from the University of Maryland. The results show that the proposed approach can provide useful information for security administrators and may reduce the time between a security event and the response.
Author supplied keywords
Cite
CITATION STYLE
Kawakani, C. T., Barbon, S., Miani, R. S., Cukier, M., & Zarpelão, B. B. (2016). Intrusion alert correlation to support security management. In SBSI 2016 - 12th Brazilian Symposium on Information Systems: Information Systems in the Cloud Computing Era, Proceedings (pp. 313–320). Universidade Federal de Santa Catarina, Florianopolis - UFSC/Departamento de Informatica e Estatistica. https://doi.org/10.5753/sbsi.2016.5977
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
