CAFS : a novel lightweight cache-based scheme for large-scale intrusion alert fusion

Wen, Sheng, Zhou, Wei, Xiang, Yang and Zhou, Wanlei 2011, CAFS : a novel lightweight cache-based scheme for large-scale intrusion alert fusion, Concurrency computation : practice and experience, vol. 24, no. 10, pp. 1137-1153.

Attached Files
Name Description MIMEType Size Downloads

Title CAFS : a novel lightweight cache-based scheme for large-scale intrusion alert fusion
Author(s) Wen, Sheng
Zhou, Wei
Xiang, Yang
Zhou, Wanlei
Journal name Concurrency computation : practice and experience
Volume number 24
Issue number 10
Start page 1137
End page 1153
Publisher John Wiley & Sons
Place of publication West Sussex, U. K.
Publication date 2011-04-28
ISSN 1532-0626
1532-0634
Keyword(s) alert fusion
cache-based mechanism
target-oriented policy
Summary In this paper, we present some practical experiences on implementing an alert fusion mechanism from our project. After investigation on most of the existing alert fusion systems, we found the current body of work alternatively weighed down in the mire of insecure design or rarely deployed because of their complexity. As confirmed by our experimental analysis, unsuitable mechanisms could easily be submerged by an abundance of useless alerts. Even with the use of methods that achieve a high fusion rate and low false positives, attack is also possible. To find the solution, we carried out analysis on a series of alerts generated by well-known datasets as well as realistic alerts from the Australian Honey-Pot. One important finding is that one alert has more than an 85% chance of being fused in the following five alerts. Of particular importance is our design of a novel lightweight Cache-based Alert Fusion Scheme, called CAFS. CAFS has the capacity to not only reduce the quantity of useless alerts generated by intrusion detection system, but also enhance the accuracy of alerts, therefore greatly reducing the cost of fusion processing. We also present reasonable and practical specifications for the target-oriented fusion policy that provides a quality guarantee on alert fusion, and as a result seamlessly satisfies the process of successive correlation. Our experiments compared CAFS with traditional centralized fusion. The results showed that the CAFS easily attained the desired level of simple, counter-escapable alert fusion design. Furthermore, as a lightweight scheme, CAFS can easily be deployed and excel in a large amount of alert fusions, which go towards improving the usability of system resources. To the best of our knowledge, our work is a practical exploration in addressing problems from the academic point of view. Copyright © 2011 John Wiley & Sons, Ltd.
Notes Published online 28th April 2011 as Early View article
Language eng
Field of Research 080503 Networking and Communications
Socio Economic Objective 890202 Application Tools and System Utilities
HERDC Research category C1 Refereed article in a scholarly journal
HERDC collection year 2012
Copyright notice ©2011, John Wiley & Sons
Persistent URL http://hdl.handle.net/10536/DRO/DU:30040592

Document type: Journal Article
Collection: School of Information Technology
Connect to link resolver
 
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Versions
Version Filter Type
Citation counts: TR Web of Science Citation Count  Cited 1 times in TR Web of Science
Google Scholar Search Google Scholar
Access Statistics: 71 Abstract Views, 8 File Downloads  -  Detailed Statistics
Created: Mon, 05 Dec 2011, 12:49:40 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.