Information Technology Reference
In-Depth Information
In the approach of
prerequisites and consequences
of each individual attack relates
consequences of a previous attack with prerequisites of a subsequent attack [1], [4],
[12]. Such systems have the advantages of requiring less time to define the precondi-
tions and consequences, and have some ability to detect small variations of well-defined
scenarios. On the contrary, has the disadvantage of not detecting new scenarios or large
variations and, also, this approach presents the problem of false positives.
The
clustering
approach looks for similarities or relationships between attributes of
the alerts, so that those having similar or related values on their attributes belong to
the same class and, therefore, at the same scenario [2], [13]. Clustering methods have
the advantage of detecting new and unknown scenarios. However, they have the prob-
lem of obtaining a very high rate of false positives.
Using the approach of integration of two methods, [3] develops a system that com-
plements a prerequisites and consequences correlation engine with other system based
on statistical analysis (clustering). The main conclusion of this work is that it im-
proves the performance respect to another paper by the same authors, which they only
use clustering [2].
Finally, [14] also uses an integrative approach of prerequisites and consequences
with clustering techniques, in particular, the work employs a Bayesian network and a
probabilistic causality test. As in the previous case, the results are better than those
obtained in previous work [4], which only used the probabilistic method.
3 Correlating IDS Alerts Using GNG
Our objective in this paper is to propose a new approach that joins together an ex-
tended view of two of the ideas revised in the previous section. On the one hand, we
use the approach of integration, but to combine the results of multiple different corre-
lation methods, not just a pair as in previous works. In addition,
our novelty lies in the
fact that the integration method is general, not ad-hoc as in previous papers. On the
other hand, we use a neural network (GNG neural network) for grouping and correlat-
ing alerts, but we take into account the quality of these alerts to balance the learning
process with the aim that the final result is conditioned by the best methods.
Fig. 1.
Intrusion detection general model
Search WWH ::
Custom Search