Information Technology Reference
In-Depth Information
Perception phase
Correlation phase
Integration phase
Response phase
alertSTAT
Growing
Neural
Gas
Response
Module
PreCons
Module
Snort
EMERALD
Fig. 2.
Test scenario
Correlation Performance
False Positive Rate
100
30
90
80
AlertSTAT
Pre/Cons
EMERALD
Modified GNG
GNG
Pr e Cons + EMERA L D
20
AlertSTAT
Pre/Cons
EMERAL D
Modified GNG
GNG
PreCons + EMERALD
70
60
10
50
40
0
10
20
30
40
50
60
70
80
90
100
30
Number of attacks
10
20
30
40
50
60
70
80
90
100
ROC curves
100
80
AlertSTAT
Pre/Cons
EMERALD
Modified GNG
GNG
Pr e Cons + EMERA L D
60
40
20
0
5
10
15
20
25
30
% of false positive
Fig. 3.
Results of the test
As we can see in Figure 3, on average, PreCons shows the worst results, about 60%
of correlation rate, while the probabilistic method (EMERALD) behaves better, corre-
lation rate between 60% and 80%. The integration approach of pairs of methods
(PreCons + EMERALD) improves the results of the previous two, but its performance
is worse than our multiple integration approach. AlertSTAT showed a performance
above 80% in all cases, very acceptable and predictable result. Finally, the integration
approach of the three previous correlation methods achieves the best results, the per-
formance is better in the modified GNG algorithm. The integration show rates over
90%, even close to 100% by modified GNG.
Search WWH ::
Custom Search