An Intrusion Alert Correlation Approach Based on Finite Automata
Intrusion alert analysis system correlates alerts that generated by one or more IDS(s), and yields a succinct attack scenario which reflects an intrusion process. This paper presents an intrusion alert analysis model consists of four modules: alert formalization, alert filtering, alert fusion and correlation, and scenario visualization. Alerts are fused and correlated using approach based on finite automata. Three kinds of high-level views of attacks are generated, i.e. process-critical scenario, attacker-critical scenario, and victim-critical scenario. Experiments show that the approach can reduce the redundancy of intrusion alerts and correlate them well.
alert correlation alert fusion IDS finite automaton
Lei Liu KangFeng Zheng YiXianYang
Key Laboratory of network and information attack & defence technology of MOE, Beijing University of Posts and Telecommunications Beijing, China
国际会议
南宁
英文
80-83
2010-10-13(万方平台首次上网日期,不代表论文的发表时间)