TY - GEN
T1 - A language driven intrusion detection system for event and alert correlation
AU - Totel, Eric
AU - Vivinis, Bernard
AU - Mé, Ludovic
PY - 2004/1/1
Y1 - 2004/1/1
N2 - It is well known that security prevention mechanisms are not sufficient to protect efficiently an information system. Intrusion detection systems are required. But these systems present many imperfections. In particular, they can either generate false positives (i.e., alarms that should not be produced) or miss attacks (false negatives). However, the main problem is the generation of false positives that can overwhelm the information system administrator. In this paper, we follow the notion of correlation proposed by others. The objective is to aim at correlating either events in the analyser or alerts in the manager. We first present the ADeLe language, which provides a way to define the correlation properties. Then we present which algorithms have been carried out in our IDS to handle ADeLe signatures. Finally, we show the stress tests that have been applied to the probe algorithms that we have implemented.
AB - It is well known that security prevention mechanisms are not sufficient to protect efficiently an information system. Intrusion detection systems are required. But these systems present many imperfections. In particular, they can either generate false positives (i.e., alarms that should not be produced) or miss attacks (false negatives). However, the main problem is the generation of false positives that can overwhelm the information system administrator. In this paper, we follow the notion of correlation proposed by others. The objective is to aim at correlating either events in the analyser or alerts in the manager. We first present the ADeLe language, which provides a way to define the correlation properties. Then we present which algorithms have been carried out in our IDS to handle ADeLe signatures. Finally, we show the stress tests that have been applied to the probe algorithms that we have implemented.
KW - Alert correlation
KW - Attack signature recognition
KW - Event correlation
KW - Intrusion detection
KW - Site security monitoring
UR - https://www.scopus.com/pages/publications/84862190056
U2 - 10.1007/1-4020-8143-x_14
DO - 10.1007/1-4020-8143-x_14
M3 - Conference contribution
AN - SCOPUS:84862190056
SN - 9781475780161
T3 - IFIP Advances in Information and Communication Technology
SP - 209
EP - 224
BT - Security and Protection in Information Processing systems - IFIP 18th World Computer Congress, TC11 19th International Information Security Conference, SEC 2004
PB - Springer New York LLC
T2 - IFIP TC11 19th International Information Security Conference, SEC 2004
Y2 - 22 August 2004 through 27 August 2004
ER -