Managing alerts in a multi-intrusion detection environment

被引:69
作者
Cuppens, F [1 ]
机构
[1] ONERA Toulouse, F-31055 Toulouse, France
来源
17TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS | 2001年
关键词
IDS; IDMEF; DTD; cooperative intrusion detection; alert clustering; alert merging;
D O I
10.1109/ACSAC.2001.991518
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
There are several approaches for intrusion detection but none of them is fully satisfactory. They generally generate too many false positives and the alerts are too elementary and not enough accurate to be directly managed by a security administrator. A promising approach is to develop a cooperation module to analyze alerts and to generate more global and synthetic alerts. This paper presents the work we did in this context within the MIRADOR project. We suggest specifications for three functions: alert base management, alert clustering and alert merging. The approach is compliant with the IDMEF format currently being defined at the IETF.
引用
收藏
页码:22 / 31
页数:10
相关论文
共 22 条
[1]  
Bace Rebecca Gurley, 2000, Intrusion Detection
[2]  
CARRERE J, UNPUB INSIDER DETECT
[3]  
*COMP ASS, 2000, E TRUST INTR DET
[4]  
CUPPENS F, 2000, 3 WORKSH REC ADV INT
[5]  
Cuppens Frederic, 2001, INT S INF SUP TOOLS
[6]  
CURRY D, 2001, INTRUSION DETECTION
[7]  
DEBAR H, 2001, 4 WORKSH REC ADV INT
[8]  
DIAZ M, 2000, GNU PROLOG NATIVE PR
[9]  
HUANG MY, 1998, 1 INT WORKSH REC ADV
[10]  
KLEINWAECHTER J, 1998, 1 INT WORKSH REC ADV
123