Conceptual Analysis of Intrusion Alarms

  • Benjamin Morin
  • Hervé Debar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3617)

Abstract

Security information about information systems provided by current intrusion detection systems (IDS) is spread over numerous similar and fine-grained alerts. Security operators are consequently overwhelmed by alerts whose content is too poor. Alarm correlation techniques are used to reduce the number of alerts and enhance their content. In this paper, we tackle the alert correlation problem as an information retrieval problem in order to make the handling of alert groups easier.

Keywords

Intrusion Detection Intrusion Detection System Formal Context Formal Concept Analysis Security Operator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Ferré, S., Ridoux, O.: A Logical Generalization of Formal Concept Analysis. In: International Conference on Conceptual Structures (ICCS 2000) (2000)Google Scholar
  2. 2.
    Ferré, S., Ridoux, O.: Introduction to Logical Information Systems. IRISA Research Report RR-4540 (2002)Google Scholar
  3. 3.
    Padioleau, Y., Ridoux, O.: A Logic File System. In: Usenix Annual Technical Conference (2003)Google Scholar
  4. 4.
    Godin, R., Missaoui, R., April, A.: Experimental comparison of navigation in a Galois Lattice with conventional information retrieval methods. International Journal of Man-Machine Studies 38(5), 747–767 (1993)CrossRefGoogle Scholar
  5. 5.
    Ganter, B., Wille, R.: Formal Concept Analysis - Mathematical Fundations. Springer, Heidelberg (1999)Google Scholar
  6. 6.
    Michel, C., Mé, L.: Adele: An Attack Description Language For Knowledge-Based Intrusion Detection. In: Proceedings of the 16th International Conference on Information Security (IFIP/SEC 2001) (2001)Google Scholar
  7. 7.
    Jakobson, G., Weissman, M.D.: Alarm correlation. IEEE Network Magazine 7(6), 52–60 (1993)Google Scholar
  8. 8.
    Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001) (December 2001)Google Scholar
  9. 9.
    Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 197. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Cuppens, F.: Managing Alerts in Multi-Intrusion Detection Environment. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001) (2001)Google Scholar
  11. 11.
    Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Benjamin Morin
    • 1
  • Hervé Debar
    • 1
  1. 1.France Télécom R&DCaenFrance

Personalised recommendations