Correlation of alerts using prerequisites and consequences for intrusion detection

Sanoop Mallissery, K. Praveen, Shahana Sathar

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Alert Correlation is a process that analyses the alerts produced by one or more Intrusion Detection Sensors and provides a clear picture of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. The idea of prerequisites of an intrusion, that is the necessary condition for the intrusion to be successful and the possible outcomes of intrusion is the consequences. This method also help us to correlates two alerts if the consequence of the earlier alert prepares for the prerequisites of the later one. In this system, before alert classification we are performing normalization, pre-processing, and alert correlation. In correlation phase there are two types of correlation, which are duplicate removal (alert fusion) and consequence correlation. Thus the resulting alert set is clustered. Based on this analysis of the alert set, the prioritization component assigns an appropriate priority to every alert. This priority information is important for quickly discarding information that is irrelevant or of less importance. The second way of prioritizing is based on the number of alerts coming from the networked systems.

Original languageEnglish
Title of host publicationComputational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings
Pages662-666
Number of pages5
DOIs
Publication statusPublished - 26-12-2011
Externally publishedYes
Event1st International Conference on Computational Intelligence and Information Technology, CIIT 2011 - Pune, India
Duration: 07-11-201108-11-2011

Publication series

NameCommunications in Computer and Information Science
Volume250 CCIS
ISSN (Print)1865-0929

Conference

Conference1st International Conference on Computational Intelligence and Information Technology, CIIT 2011
CountryIndia
CityPune
Period07-11-1108-11-11

Fingerprint

Intrusion detection
Fusion reactions
Sensors
Processing

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Cite this

Mallissery, S., Praveen, K., & Sathar, S. (2011). Correlation of alerts using prerequisites and consequences for intrusion detection. In Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings (pp. 662-666). (Communications in Computer and Information Science; Vol. 250 CCIS). https://doi.org/10.1007/978-3-642-25734-6_114
Mallissery, Sanoop ; Praveen, K. ; Sathar, Shahana. / Correlation of alerts using prerequisites and consequences for intrusion detection. Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings. 2011. pp. 662-666 (Communications in Computer and Information Science).
@inproceedings{32b2f6b8195e44818f51c5538fd7cb55,
title = "Correlation of alerts using prerequisites and consequences for intrusion detection",
abstract = "Alert Correlation is a process that analyses the alerts produced by one or more Intrusion Detection Sensors and provides a clear picture of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. The idea of prerequisites of an intrusion, that is the necessary condition for the intrusion to be successful and the possible outcomes of intrusion is the consequences. This method also help us to correlates two alerts if the consequence of the earlier alert prepares for the prerequisites of the later one. In this system, before alert classification we are performing normalization, pre-processing, and alert correlation. In correlation phase there are two types of correlation, which are duplicate removal (alert fusion) and consequence correlation. Thus the resulting alert set is clustered. Based on this analysis of the alert set, the prioritization component assigns an appropriate priority to every alert. This priority information is important for quickly discarding information that is irrelevant or of less importance. The second way of prioritizing is based on the number of alerts coming from the networked systems.",
author = "Sanoop Mallissery and K. Praveen and Shahana Sathar",
year = "2011",
month = "12",
day = "26",
doi = "10.1007/978-3-642-25734-6_114",
language = "English",
isbn = "9783642257339",
series = "Communications in Computer and Information Science",
pages = "662--666",
booktitle = "Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings",

}

Mallissery, S, Praveen, K & Sathar, S 2011, Correlation of alerts using prerequisites and consequences for intrusion detection. in Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings. Communications in Computer and Information Science, vol. 250 CCIS, pp. 662-666, 1st International Conference on Computational Intelligence and Information Technology, CIIT 2011, Pune, India, 07-11-11. https://doi.org/10.1007/978-3-642-25734-6_114

Correlation of alerts using prerequisites and consequences for intrusion detection. / Mallissery, Sanoop; Praveen, K.; Sathar, Shahana.

Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings. 2011. p. 662-666 (Communications in Computer and Information Science; Vol. 250 CCIS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Correlation of alerts using prerequisites and consequences for intrusion detection

AU - Mallissery, Sanoop

AU - Praveen, K.

AU - Sathar, Shahana

PY - 2011/12/26

Y1 - 2011/12/26

N2 - Alert Correlation is a process that analyses the alerts produced by one or more Intrusion Detection Sensors and provides a clear picture of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. The idea of prerequisites of an intrusion, that is the necessary condition for the intrusion to be successful and the possible outcomes of intrusion is the consequences. This method also help us to correlates two alerts if the consequence of the earlier alert prepares for the prerequisites of the later one. In this system, before alert classification we are performing normalization, pre-processing, and alert correlation. In correlation phase there are two types of correlation, which are duplicate removal (alert fusion) and consequence correlation. Thus the resulting alert set is clustered. Based on this analysis of the alert set, the prioritization component assigns an appropriate priority to every alert. This priority information is important for quickly discarding information that is irrelevant or of less importance. The second way of prioritizing is based on the number of alerts coming from the networked systems.

AB - Alert Correlation is a process that analyses the alerts produced by one or more Intrusion Detection Sensors and provides a clear picture of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. The idea of prerequisites of an intrusion, that is the necessary condition for the intrusion to be successful and the possible outcomes of intrusion is the consequences. This method also help us to correlates two alerts if the consequence of the earlier alert prepares for the prerequisites of the later one. In this system, before alert classification we are performing normalization, pre-processing, and alert correlation. In correlation phase there are two types of correlation, which are duplicate removal (alert fusion) and consequence correlation. Thus the resulting alert set is clustered. Based on this analysis of the alert set, the prioritization component assigns an appropriate priority to every alert. This priority information is important for quickly discarding information that is irrelevant or of less importance. The second way of prioritizing is based on the number of alerts coming from the networked systems.

UR - http://www.scopus.com/inward/record.url?scp=84055212155&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84055212155&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-25734-6_114

DO - 10.1007/978-3-642-25734-6_114

M3 - Conference contribution

SN - 9783642257339

T3 - Communications in Computer and Information Science

SP - 662

EP - 666

BT - Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings

ER -

Mallissery S, Praveen K, Sathar S. Correlation of alerts using prerequisites and consequences for intrusion detection. In Computational Intelligence and Information Technology - First International Conference, CIIT 2011, Proceedings. 2011. p. 662-666. (Communications in Computer and Information Science). https://doi.org/10.1007/978-3-642-25734-6_114