Managing alerts in a multi-intrusion detection environment

24 August 2005

conference paper
Published by Institute of Electrical and Electronics Engineers (IEEE)

p. 22-31
https://doi.org/10.1109/acsac.2001.991518

Abstract

There are several approaches for intrusion detectionbut none of them is fully satisfactory. They generallygenerate too many false positives and the alerts are tooelementary and not enough accurate to be directlymanaged by a security administrator. A promisingapproach is to develop a cooperation module to analyzealerts and to generate more global and synthetic alerts.This paper presents the work we did in this context withinthe MIRADOR project. We suggest specifications for threefunctions: alert base management, alert clustering andalert merging. The approach is compliant with theIDMEF format currently being defined at the IETF.

Keywords

This publication has 5 references indexed in Scilit:

Continuous assessment of a Unix configuration: integrating intrusion detection and configuration analysis
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Aggregation and Correlation of Intrusion-Detection Alerts
Published by Springer Nature ,2001
Probabilistic Alert Correlation
Published by Springer Nature ,2001
Adaptive, Model-Based Monitoring for Cyber Attack Detection
Published by Springer Nature ,2000
LAMBDA: A Language to Model a Database for Detection of Attacks
Published by Springer Nature ,2000