Correlating intrusion alerts with unsupervised learning |
| Posted on:2007-03-10 | Degree:M.C.S | Type:Thesis |
| University:University of Ottawa (Canada) | Candidate:Smith, Reuben | Full Text:PDF |
| GTID:2458390005985497 | Subject:Computer Science |
| Abstract/Summary: | |
| Alert correlation systems attempt to discover the relationships between intrusion detection system (IDS) alerts to determine the motivation of attackers. IDSs are deployed to detect computer attacks against a network, but the output of IDSs is considered low level since a single attack can be represented by several alerts. An alert correlation system enables the intrusion analyst to find important alerts and filter false positives more efficiently.; We present an alert correlation system based on unsupervised machine learning algorithms that is accurate and low maintenance. The system is implemented in two stages of correlation. At the first stage of correlation alerts are grouped together such that each group forms one step of an attack. At the second stage the groups created at the first stage are combined such that each combination of groups contains the alerts of precisely one full attack. (Abstract shortened by UMI.)... |
| Keywords/Search Tags: | Alerts, Intrusion, Attack, Correlation, System |
|
Related items |
