The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

Network alert correlation using outlier detection methods

Network alert correlation using outlier detection methods
Network alert correlation using outlier detection methods
The use of an Intrusion Detection System (IDS) as a security perimeter tool has many advantages but also creates another difficult problem. Most IDSs focus on low-level attacks and generate a very large amount of alerts which are difficult for humans to understand. Handling the intrusion alerts generated by various IDS is now a new research field as more sensors with different capabilities are distributed throughout networks being protected. A “Network Alert Correlation System” addresses this issue by reducing the number of false alarms, finding the root causes and then correlating the alerts to find the high-level attack scenario. Most current approaches have a number of limitations. Firstly, they usually need a lot of labelled training data to build the alert classifiers. However such data is often difficult to obtain. Secondly, most of these models are off-line which will delay the reaction to attacks. Thirdly, most of them are unable to adapt to new configurations. In this research I propose a network alert correlation system which able to handle some of the above limitations. My proposed method is based on a data mining technique called outlier detection.
Syarif, Iwan
d6c3eb92-73cf-463b-819c-d97d017e54b5
Syarif, Iwan
d6c3eb92-73cf-463b-819c-d97d017e54b5

Syarif, Iwan (2010) Network alert correlation using outlier detection methods (Submitted)

Record type: Monograph (Project Report)

Abstract

The use of an Intrusion Detection System (IDS) as a security perimeter tool has many advantages but also creates another difficult problem. Most IDSs focus on low-level attacks and generate a very large amount of alerts which are difficult for humans to understand. Handling the intrusion alerts generated by various IDS is now a new research field as more sensors with different capabilities are distributed throughout networks being protected. A “Network Alert Correlation System” addresses this issue by reducing the number of false alarms, finding the root causes and then correlating the alerts to find the high-level attack scenario. Most current approaches have a number of limitations. Firstly, they usually need a lot of labelled training data to build the alert classifiers. However such data is often difficult to obtain. Secondly, most of these models are off-line which will delay the reaction to attacks. Thirdly, most of them are unable to adapt to new configurations. In this research I propose a network alert correlation system which able to handle some of the above limitations. My proposed method is based on a data mining technique called outlier detection.

Text
PhD_Nine_month_report_-_is1e08.pdf - Other
Restricted to Registered users only
Download (225kB)

More information

Submitted date: 1 July 2010
Organisations: Web & Internet Science

Identifiers

Local EPrints ID: 271404
URI: http://eprints.soton.ac.uk/id/eprint/271404
PURE UUID: e37549e2-0e09-4fed-8d3e-63fdc698a725

Catalogue record

Date deposited: 14 Jul 2010 15:09
Last modified: 14 Mar 2024 09:30

Export record

Contributors

Author: Iwan Syarif

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×