Modeling Intrusion Alerts using IDMEF Data Model
نویسندگان
چکیده
In response to proliferated attacks on enterprise systems today, practitioners employ multiple, diverse intrusion detection sensors to improve the detection rate and the coverage within the system for increased information assurance. An important problem in such environment is the management of alerts. One of the essential issues in alerts management is the standardization of the alerts format. For some scholars, such standardization can be referred as alerts normalization. In this paper we address the data model for intrusion detection sensor alerts, called Intrusion Detection Message Exchange Format (IDMEF) and explain the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented to represent alerts generated from intrusion detection sensors for better viewing and to ease future alerts analysis for instances aggregation and correlation, regardless of the alerts origin.
منابع مشابه
Experiences Implementing a Common Format for IDS Alerts
Intrusion detection is an area of increasing concern in the Internet community. In response to this, many automated intrusion detection systems (IDS) have been developed, e.g., commercial (Real Secure) and public domain (SNORT). However, there is no standardized way for IDS to communicate with each other or to a common manager. To remedy this, the Intrusion Detection Working Group (IDWG) was ch...
متن کاملStandardisation and Classification of Alerts Generated by Intrusion Detection Systems
Intrusion detection systems are most popular de-fence mechanisms used to provide security to IT infrastructures. Organisation need best performance, so it uses multiple IDSs from different vendors. Different vendors are using different formats and protocols. Difficulty imposed by this is the generation of several false alarms. Major part of this work concentrates on the collection of alerts fro...
متن کاملAlert correlation and prediction using data mining and HMM
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which ext...
متن کاملManaging Alerts in a Multi-Intrusion Detection Environmen
There are several approaches for intrusion detection but none of them is fully satisfactory. They generally generate too many false positives and the alerts are too elementary and not enough accurate to be directly managed by a security administrator. A promising approach is to develop a cooperation module to analyze alerts and to generate more global and synthetic alerts. This paper presents t...
متن کاملUsing an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts
An important problem in the field of intrusion detection is the management of alerts. Intrusion Detection Systems tend to produce a high number of alerts, most of them being false positives. But producing a high number of alerts does not mean that the attack detection rate is high. In order to increase the detection rate, the use of multiple IDSs based on heterogeneous detection techniques is a...
متن کامل