Browse > Article

Design and Implementation of Alert Analysis System using Correlation  

이수진 (한국과학기술원 전자전산학과)
정병천 (한국과학기술원 전자전산학과)
김희열 (한국과학기술원 전자전산학과)
이윤호 (한국과학기술원 전자전산학과)
윤현수 (한국과학기술원 전산학과)
김도환 (국가보안기술연구소)
이은영 (국가보안기술연구소)
박응기 (국가보안기술연구소)
Publication Information
Journal of KIISE:Information Networking / v.31, no.5, 2004 , pp. 438-449 More about this Journal
Abstract
With the growing deployment of network and internet, the importance of security is also increased. But, recent intrusion detection systems which have an important position in security countermeasure can't provide proper analysis and effective defence mechanism. Instead, they have overwhelmed human operator by large volume of intrusion detection alerts. In this paper, we propose an efficient alert analysis system that can produce high level information by analyzing and processing the large volume of alerts and can detect large-scale attacks such as DDoS in early stage. And we have measured processing rate of each elementary module and carried out a scenario-based test in order to analyzing efficiency of our proposed system.
Keywords
Security; Intrusion Detection System; Alert Correlation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 K. Kendall, 'A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems,' Master's Thesis, Massachusetts Institute of Technology, June 1999
2 Wenke Lee,. 'A Framework for Constructing Features and Models for Intrusion Detection System,' PhD thesis, Columbia University, June 1999
3 W. Lee, R.A. Nimbalkar, K.K. Yee, S.B. Patil, P.H. Desai, T.T. Tran, and S,J. Stolfo, 'A Data Mining and CIDF-Based Approach for Detecting Novel and Distributed Intrusions,' Proceedings 2000 International Workshop on Recent Advances in Intrusion Detection (RAID), Toulouse, France, October 2000
4 NMAP Network Mapping tool. http://www.insecure.org/nmap/
5 CERT Coordination Center. Cert/CC Advisories Carnegie Mellon, Software Engineering Institute. Online. http://www.cert.org/advisories/
6 C. Kahn, P.A. Porras, S. Staniford-Chen, and B. Tung, 'A Common Intrusion Detection Framework,' http://www.gidos.org
7 L. Perrochon, E. Jang, and D.C. Luckham, 'Enlisting Event Patterns for Cyber Battlefield Awareness,' DARPA Information Survivability Conference & Exposition (DISCEX'00), Hilton Head, South Carolina, January 2000   DOI
8 A. Valdes and K. Skinne, 'Probabilistic Alert Correlation,' Fourth International Workshop on the Recent Advances in Intrusion Detection, Davis, USA, October 2001
9 F. Cuppens, 'Correlation in an intrusion detection process,' Internet Security Communication Workshop(SECI02), Tunis- Tunisia, September 2002
10 H. Debar and A. Wespi, 'Aggregation and Correlation of Intrusion-Detection Alerts,' Proceedings of 2001 International Workshop on Recent Advances in Intrusion Detection, Davis, CA, October 2001
11 Phillip A. Porras, et aI, 'A Mission impact-Based Approach to INFOSEC Alarm Correlation,' Fifth International Workshop on the Recent Advances in Intrusion Detection, Zurich, Switzerland, October 2002
12 P. Porras and P. Neumann, 'Emerald: Event Monitoring Enabling Responses to Anomalous Live Disturbances,' National Security Conference, 1997
13 E. Bloedorn, et aI, 'Data Mining for Network Intrusion Detection: How to Get Started,' MITRE Technical Report, August 2001
14 F. Cuppens, 'Cooperative Intrusion Detection,' International Symposium 'Information Superiority: Tools for Crisis & Conflict-Management,' Paris, France, September, 2001
15 F. Cuppens, 'Managing alerts in a multi intrusion detection environment,' 17th Annual Computer Security Applications Conference (ACSAC), New Orleans, December 2001   DOI
16 Bugtraq. Security Focus Online. http://online. securityfocus.com/archive/1