Correlation of Heterogenous IDS Alerts for Attack Detection

Carey, Nathan (2004) Correlation of Heterogenous IDS Alerts for Attack Detection. Masters by Research thesis, Queensland University of Technology.


With the increasing use of Intrusion Detection Systems (IDS) as a core component of network security, a vast array of competing products have appeared to fulfil the role of reliably detecting potential breaches of security in a network. The domain of detecting intrusions is large. This leads to products which are better at detecting some intrusions than others, and so to the use of multiple different types of IDS within a network. This typical usage, combined with the common practice of using IDS at multiple points in the network, requires sophisticated management of heterogenous alerts from multiple sources. This management should enable correlation of alerts with the goal of better detecting attacks, and reducing the monitoring workload on administrators. This thesis presents an architecture utilising commodity components and the Intrusion Detection Message Exchange Format (IDMEF) to enable this type of alert management. A signature scheme for the specification of patterns of alerts that indicate multi-step attacks is given, and a methodology for analysing alerts using the architecture that was developed. The final outcomes are a signature system and collection of tools integrated in a GUI management interface to aid in the detection of attacks, and the results of utilising these tools on a series of experiments in attack detection.

Impact and interest:

Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

2,121 since deposited on 03 Dec 2008
64 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 15872
Item Type: QUT Thesis (Masters by Research)
Supervisor: Mohay, George & Clark, Andrew
Keywords: Intrusion Detection, Correlation, Alert Analysis, Attack Signatures
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Department: Faculty of Information Technology
Institution: Queensland University of Technology
Copyright Owner: Copyright Nathan Carey
Deposited On: 03 Dec 2008 03:51
Last Modified: 22 Jun 2017 14:40

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page