Openly accessible

A lightweight intrusion alert fusion system

Wen, Sheng, Xiang, Yang and Zhou, Wanlei 2010, A lightweight intrusion alert fusion system, in HPCC 2010 : Proceedings of the 12th IEEE International Conference on High Performance Computing and Communications, IEEE, Piscataway, N.J., pp. 695-700.

Attached Files
Name Description MIMEType Size Downloads
zhou-alightweight-2010.pdf Published version application/pdf 249.65KB 146

Title A lightweight intrusion alert fusion system
Author(s) Wen, Sheng
Xiang, Yang
Zhou, Wanlei
Conference name IEEE International Conference on High Performance Computing and Communications (12th : 2010 : Melbourne, Vic.)
Conference location Melbourne, Vic.
Conference dates 1-3 Sep. 2010
Title of proceedings HPCC 2010 : Proceedings of the 12th IEEE International Conference on High Performance Computing and Communications
Editor(s) [Unknown]
Publication date 2010
Conference series International Conference on High Performance Computing and Communications
Start page 695
End page 700
Total pages 6
Publisher IEEE
Place of publication Piscataway, N.J.
Keyword(s) alert fusion
cache-based mechanism
target-oriented policy
Summary In this paper, we present some practical experience on implementing an alert fusion mechanism from our project. After investigation on most of the existing alert fusion systems, we found the current body of work alternatively weighed down in the mire of insecure design or rarely deployed because of their complexity. As confirmed by our experimental analysis, unsuitable mechanisms could easily be submerged by an abundance of useless alerts. Even with the use of methods that achieve a high fusion rate and low false positives, attack is also possible. To find the solution, we carried out analysis on a series of alerts generated by well-known datasets as well as realistic alerts from the Australian Honey-Pot. One important finding is that one alert has more than an 85% chance of being fused in the following 5 alerts. Of particular importance is our design of a novel lightweight Cache-based Alert Fusion Scheme, called CAFS. CAFS has the capacity to not only reduce the quantity of useless alerts generated by IDS (Intrusion Detection System), but also enhance the accuracy of alerts, therefore greatly reducing the cost of fusion processing. We also present reasonable and practical specifications for the target-oriented fusion policy that provides a quality guarantee on alert fusion, and as a result seamlessly satisfies the process of successive correlation. Our experimental results showed that the CAFS easily attained the desired level of survivable, inescapable alert fusion design. Furthermore, as a lightweight scheme, CAFS can easily be deployed and excel in a large amount of alert fusions, which go towards improving the usability of system resources. To the best of our knowledge, our work is a novel exploration in addressing these problems from a survivable, inescapable and deployable point of view.
Notes This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
ISBN 9780769542140
9781424483358
Language eng
Field of Research 080503 Networking and Communications
Socio Economic Objective 970108 Expanding Knowledge in the Information and Computing Sciences
HERDC Research category E1 Full written paper - refereed
HERDC collection year 2010
Copyright notice ©2010, IEEE
Persistent URL http://hdl.handle.net/10536/DRO/DU:30033636

Document type: Conference Paper
Collections: School of Information Technology
Open Access Collection
Connect to link resolver
 
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.

Versions
Version Filter Type
Access Statistics: 296 Abstract Views, 151 File Downloads  -  Detailed Statistics
Created: Wed, 23 Mar 2011, 16:02:11 EST by Sandra Dunoon

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.