Improving Intrusion Detection through Alert Verification
نویسندگان
چکیده
Intrusion detection systems (IDS) suffer from a lack of scalability. Alert correlation has been introduced to address this challenge and is generally considered to be the major part of the solution. One of the steps in the correlation process is the verification of alerts. We have identified the relationships and interactions between correlation and verification. An overview of verification tests proposed in literature is presented and refined. Our contribution is to integrate these tests in an extensible generic framework for verification that enables further experimentation. A proof-of-concept implementation is presented and a first evaluation is made. We conclude that verification is a viable extension to the intrusion detection process. Its effectiveness is highly dependent on contextual information.
منابع مشابه
Real-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...
متن کاملUsing Alert Verification to Identify Successful Intrusion Attempts
Intrusion detection systems monitor protected networks and attempt to identify evidence of malicious activity. When an attack is detected, an alert is produced, and, possibly, a countermeasure is executed. A perfect intrusion detection system would be able to identify all the attacks without raising any false alarms. In addition, a countermeasure would be executed only when an attack is actuall...
متن کاملImproving Efficiency of IDS using alert Correlation
Intrusion Detection Systems are designed to monitor a network environment and generate alerts whenever abnormal activities are detected. However, the number of these alerts can be very large making their evaluation a difficult task for a security analyst. Alert management techniques reduce alert volume significantly and potentially improve detection performance of an Intrusion Detection System....
متن کاملMobi-Herald: Alert Propagation in Mobile Ad Hoc Networks
Intrusion/misbehavior detection and response are two important components for defending against various attacks in mobile ad hoc networks. Unfortunately, there is a gap between local intrusion/misbehavior detection and network-wide response in such networks. To bridge this gap, alert propagation, aiming to spread alert messages to the whole network upon detection of malicious/abnormal activity,...
متن کاملATLANTIDES: Automatic Configuration for Alert Verification in Network Intrusion Detection Systems
We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either...
متن کامل