• search hit 1 of 1
Back to Result List

An alert correlation platform for memory-supported techniques

  • Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. False-positive alerts are a popular problem for most IDS approaches. The solution to address this problem is to enhance the detection process by correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished fast, which is a challenging task as the amount of alerts in large-scale IDS deployments is significantly high. We identifytextitdata storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. We propose and implement a highly efficient alert correlation platform. For storage, a column-based database, an In-Memory alert storage, and memory-based index tables lead to significant improvements of the performance. For processing, algorithms are designed and implemented which are optimized for In-Memory databases, e.g. an attack graph-based correlation algorithm. The platform can beIntrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. False-positive alerts are a popular problem for most IDS approaches. The solution to address this problem is to enhance the detection process by correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished fast, which is a challenging task as the amount of alerts in large-scale IDS deployments is significantly high. We identifytextitdata storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. We propose and implement a highly efficient alert correlation platform. For storage, a column-based database, an In-Memory alert storage, and memory-based index tables lead to significant improvements of the performance. For processing, algorithms are designed and implemented which are optimized for In-Memory databases, e.g. an attack graph-based correlation algorithm. The platform can be distributed over multiple processing units to share memory and processing power. A standardized interface is designed to provide a unified view of result reports for end users. The efficiency of the platform is tested by practical experiments with several alert storage approaches, multiple algorithms, as well as a local and a distributed deployment.show moreshow less

Export metadata

Additional Services

Share in Twitter Search Google Scholar Statistics
Metadaten
Author:Sebastian Roschke, Feng ChengGND, Christoph MeinelORCiDGND
DOI:https://doi.org/10.1002/cpe.1750
ISSN:1532-0626
Parent Title (English):Concurrency and computation : practice & experience
Publisher:Wiley-Blackwell
Place of publication:Hoboken
Document Type:Article
Language:English
Year of first Publication:2012
Year of Completion:2012
Release Date:2017/03/26
Tag:IDS management; memory-based clustering; memory-based correlation; memory-based databases
Volume:24
Issue:10
Page Number:14
First Page:1123
Last Page:1136
Organizational units:An-Institute / Hasso-Plattner-Institut für Digital Engineering gGmbH
Peer Review:Referiert