Online Intrusion Alert Aggregation with Generative Data Stream Modeling

Free registration required

Executive Summary

Alert aggregation is an important subtask of intrusion detection. The goal is to identify and to cluster different alerts - produced by low-level intrusion detection systems, firewalls, etc. - belonging to a specific attack instance which has been initiated by an attacker at a certain point in time. Thus, meta-alerts can be generated for the clusters that contain all the relevant information whereas the amount of data (i.e., alerts) can be reduced substantially. Meta-alerts may then be the basis for reporting to security experts or for communication within a distributed intrusion detection system. The authors propose a novel technique for online alert aggregation which is based on a dynamic, probabilistic model of the current attack situation.

  • Format: PDF
  • Size: 621.46 KB