Correlation of Heterogenous IDS Alerts for Attack Detection
Carey, Nathan (2004) Correlation of Heterogenous IDS Alerts for Attack Detection. Masters by Research thesis, Queensland University of Technology.
With the increasing use of Intrusion Detection Systems (IDS) as a core component of network security, a vast array of competing products have appeared to fulfil the role of reliably detecting potential breaches of security in a network. The domain of detecting intrusions is large. This leads to products which are better at detecting some intrusions than others, and so to the use of multiple different types of IDS within a network. This typical usage, combined with the common practice of using IDS at multiple points in the network, requires sophisticated management of heterogenous alerts from multiple sources. This management should enable correlation of alerts with the goal of better detecting attacks, and reducing the monitoring workload on administrators. This thesis presents an architecture utilising commodity components and the Intrusion Detection Message Exchange Format (IDMEF) to enable this type of alert management. A signature scheme for the specification of patterns of alerts that indicate multi-step attacks is given, and a methodology for analysing alerts using the architecture that was developed. The final outcomes are a signature system and collection of tools integrated in a GUI management interface to aid in the detection of attacks, and the results of utilising these tools on a series of experiments in attack detection.
Impact and interest:
Citation counts are sourced monthly from and citation databases.
These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.
|Item Type:||QUT Thesis (Masters by Research)|
|Supervisor:||Mohay, George & Clark, Andrew|
|Keywords:||Intrusion Detection, Correlation, Alert Analysis, Attack Signatures|
|Divisions:||Past > QUT Faculties & Divisions > Faculty of Science and Technology|
|Department:||Faculty of Information Technology|
|Institution:||Queensland University of Technology|
|Copyright Owner:||Copyright Nathan Carey|
|Deposited On:||03 Dec 2008 03:51|
|Last Modified:||28 Oct 2011 19:40|
Repository Staff Only: item control page