Design and Implementation of A Distributed IDS Alert Aggregation Model
How to aggregate and reduce duplicated alerts from different IDSs is one of the most important problems in distributed IDS research area. The article proposes a distributed alert aggregation model composed of local components and network components. Local components transform raw alerts originating from traditional IDSs to IDMEF-based alerts with uniform format, which are sent to network components. Network components aggregate similar alerts into a meta-alert, using an aggregation algorithm based on category and feature similarity. A subscription-based communication mechanism is and multiple kinds of messages are also proposed to meet the demands of the communication between the components and to realize information share in the whole network. Experiments on DARPA99 data set indicated the effectiveness of the model.
IDS Alert Aggregation Feature Similarity
Guo Fan Ye JiHua Yu Min
College of Computer Information Engineering, Jiangxi Normal University Nanchang, China
国际会议
第四届国际计算机新科技与教育学术会议(2009 4th International Conference on Computer Science & Education)
南京
英文
975-980
2009-07-25(万方平台首次上网日期,不代表论文的发表时间)