Integrating IDS Alert Correlation and OS-Level Dependency Tracking

  • Yan Zhai
  • Peng Ning
  • Jun Xu
Conference paper

DOI: 10.1007/11760146_24

Part of the Lecture Notes in Computer Science book series (LNCS, volume 3975)
Cite this paper as:
Zhai Y., Ning P., Xu J. (2006) Integrating IDS Alert Correlation and OS-Level Dependency Tracking. In: Mehrotra S., Zeng D.D., Chen H., Thuraisingham B., Wang FY. (eds) Intelligence and Security Informatics. ISI 2006. Lecture Notes in Computer Science, vol 3975. Springer, Berlin, Heidelberg

Abstract

Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. However, the performance of correlation is undermined by the imperfectness of intrusion detection techniques. Falsely correlated alerts can be misleading to analysis. This paper presents a practical technique to improve alert correlation by integrating alert correlation techniques with OS-level object dependency tracking. With the support of more detailed and precise information from OS-level event logs, higher accuracy in alert correlation can be achieved. The paper also discusses the application of such integration in improving the accuracy of hypotheses about possibly missed attacks while reducing the complexity of the hypothesizing process. A series of experiments are performed to evaluate the effectiveness of the methods, and the results demonstrate significant improvements on correlation results with the proposed techniques.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yan Zhai
    • 1
  • Peng Ning
    • 1
  • Jun Xu
    • 1
  1. 1.North Carolina State University 

Personalised recommendations