Intrusion Detection Alert Verification Based on Multi-level Fuzzy Comprehensive Evaluation
Alert verification is a process which compares the information referred by an alert with the configuration and topology information of its target system in order to determine if the alert is relevant to its target system. It can reduce false positive alerts and irrelevant alerts. The paper presents an alert verification approach based on multi-level fuzzy comprehensive evaluation. It is effective in achieving false alert and irrelevant alerts reduction, which have been proved by our experiments. The algorithm can deal with the uncertainties better than other alert verification approaches. The relevance score vectors obtained from the algorithm facilitate the formulation of fine and flexible security policies, and further alert processing.
Unable to display preview. Download preview PDF.
- 1.Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusion. Technical Report TR-2002-01, Department of Computer Science, North Carolina State University (2002)Google Scholar
- 3.Gula, R.: Correlating IDS Alerts with Vulnerability Information. Technical report, Tenable Network Security (2002)Google Scholar
- 4.Goldman, R.P., Heimerdinger, W., Haro, S.A.: Information modeling for intrusion report aggregation. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (2001)Google Scholar
- 6.Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: 5th International Symposium on Recent Advances in Intrusion Detection (2002)Google Scholar
- 7.ICAT vulnerabilities database, available http://icat.nist.gov/icat.cfm
- 8.Xie, J., Liu, C.: The Methodology and Application of Fuzzy Mathematics (in Chinese). Hua Zhong University of Science and Technology Press, China (2000)Google Scholar