Data Reduction in Intrusion Alert Correlation
Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related al...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Published: |
2006
|
| Subjects: | |
| Online Access: | https://eprints.nottingham.ac.uk/365/ |
| _version_ | 1848790400229179392 |
|---|---|
| author | Tedesco, Gianni Aickelin, Uwe |
| author_facet | Tedesco, Gianni Aickelin, Uwe |
| author_sort | Tedesco, Gianni |
| building | Nottingham Research Data Repository |
| collection | Online Access |
| description | Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack. |
| first_indexed | 2025-11-14T18:12:01Z |
| format | Article |
| id | nottingham-365 |
| institution | University of Nottingham Malaysia Campus |
| institution_category | Local University |
| last_indexed | 2025-11-14T18:12:01Z |
| publishDate | 2006 |
| recordtype | eprints |
| repository_type | Digital Repository |
| spelling | nottingham-3652020-05-04T20:30:20Z https://eprints.nottingham.ac.uk/365/ Data Reduction in Intrusion Alert Correlation Tedesco, Gianni Aickelin, Uwe Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack. 2006 Article PeerReviewed Tedesco, Gianni and Aickelin, Uwe (2006) Data Reduction in Intrusion Alert Correlation. WSEAS Transactions on Computers . pp. 186-193. Intrusion Detection Systems Alert Correlation Attack Graphs Denial of Service Attacks Token Bucket Filter |
| spellingShingle | Intrusion Detection Systems Alert Correlation Attack Graphs Denial of Service Attacks Token Bucket Filter Tedesco, Gianni Aickelin, Uwe Data Reduction in Intrusion Alert Correlation |
| title | Data Reduction in Intrusion Alert Correlation |
| title_full | Data Reduction in Intrusion Alert Correlation |
| title_fullStr | Data Reduction in Intrusion Alert Correlation |
| title_full_unstemmed | Data Reduction in Intrusion Alert Correlation |
| title_short | Data Reduction in Intrusion Alert Correlation |
| title_sort | data reduction in intrusion alert correlation |
| topic | Intrusion Detection Systems Alert Correlation Attack Graphs Denial of Service Attacks Token Bucket Filter |
| url | https://eprints.nottingham.ac.uk/365/ |