A Cognitive Model for Alert Correlation in a Distributed Environment
The area of alert fusion for strengthening information assurance in systems is a promising research area that has recently begun to attract attention. Increased demands for “more trustworthy” systems and the fact that a single sensor cannot detect all types of misuse/anomalies have prompted most modern information systems deployed in distributed environments to employ multiple, diverse sensors. Therefore, the outputs of the sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of such systems. A unified architecture for intelligent alert fusion will essentially combine alert prioritization, alert clustering and alert correlation. In this paper, we address the alert correlation aspect of sensor data fusion in distributed environments. A causal knowledge based inference technique with fuzzy cognitive modeling is used to correlate alerts by discovering causal relationships in alert data.
KeywordsNetwork security intelligent alert fusion alert correlation fuzzy cognitive modeling
Unable to display preview. Download preview PDF.
- 1.Brubaker, D.: Fuzzy Cognitive Maps. EDN Access (April 1996)Google Scholar
- 2.Internet Security Systems, RealSecure Network 10/100 (current January 30, 2005), http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor.php
- 3.Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings: 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, LA, December 10 - 14 (2001)Google Scholar
- 7.M.I.T Lincoln Laboratory, 2000 DARPA Intrusion Detection Scenario Specific Data Sets (current January 30, 2005), http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
- 8.Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings: ACM Conference on Computer & Communications Security, Washington D.C., WA (November 2002)Google Scholar
- 9.Ning, P.: TIAA: A Toolkit for Intrusion Alert Analysis, http://discovery.csc.ncsu.edu/software/correlator/ (current January 30, 2005)
- 10.Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Proceedings: Recent Advances in Intrusion Detection, Pittsburgh, PA (September 2003)Google Scholar
- 11.Siraj, A., Bridges, S.M., Vaughn, R.B.: Fuzzy Cognitive Maps for Decision Support in an Intelligent Intrusion Detection System. In: Proceedings: International Fuzzy Systems Association/ North American Fuzzy Information Processing Society (IFSA/NAFIPS) Conference on Soft Computing, Vancouver, Canada (July 2001)Google Scholar
- 12.Xin, J.Q., Dickerson, J.E., Dickerson, J.A.: Fuzzy Feature Extraction and Visualization for Intrusion Detection. In: Proceedings: FUZZ-IEEE, St. Louis, MO (2003)Google Scholar