NETWORK ALERT CORRELATION USING OUTLIER DETECTION METHODS

Download

PDF (PhD Progress Report) Restricted to Registered users only Download (219Kb) | Request a copy

Description/Abstract

The use of an Intrusion Detection System (IDS) as a security perimeter tool has many advantages but also creates another difficult problem. Most IDSs focus on low-level attacks and generate a very large amount of alerts which are difficult for humans to understand. Handling the intrusion alerts generated by various IDS is now a new research field as more sensors with different capabilities are distributed throughout networks being protected. A “Network Alert Correlation System” addresses this issue by reducing the number of false alarms, finding the root causes and then correlating the alerts to find the high-level attack scenario. Most current approaches have a number of limitations. Firstly, they usually need a lot of labelled training data to build the alert classifiers. However such data is often difficult to obtain. Secondly, most of these models are off-line which will delay the reaction to attacks. Thirdly, most of them are unable to adapt to new configurations. In this research I propose a network alert correlation system which able to handle some of the above limitations. My proposed method is based on a data mining technique called outlier detection.