AutoCorrel I – A Neural Network Event Correlation Approach

PDF

Authors
  1. Dondo, M.
  2. Japkowicz, N.
  3. Smith, R.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN)
Abstract
Intrusion detection analysts are often swamped by multitudes of alerts originating from installed intrusion detection systems (IDS) as well as logs from routers and firewalls on the networks. Properly managing these alerts and correlating them to previously seen threats is critical in the ability to effectively protect a network from attacks. Manually correlating events can be a slow tedious task prone to human error. We present a two-stage alert correlation approach involving an artificial neural network (ANN) autoassociator and a single parameter decision threshold-setting unit. By clustering closely matched alerts together, this approach would be beneficial to the analyst. In this approach, alert attributes are extracted from each alert content and used to train an autoassociator. Based on the reconstruction error determined by the autoassociator, closely matched alerts are grouped together. Whenever a new alert is received, it is automatically categorised into one of the alert clusters which identify the type of attack and its severity level as previously known by the analyst. If the attack is entirely new and there is no match to the existing clusters, this would be appropriately reflected to the analyst. There are several advantages to using an ANN based approach. First, ANNs acquire knowledge straight from the data without the need for a human expert to build sets of domain rules and facts. Second, once trained, ANNs can be very fast, accurate and have high precision f

Il y a un résumé en français ici.

Keywords
Neural Network;Intrusion Detection System;Network Event Correlation;Alert Correlation;Autoassociator
Report Number
DRDC-OTTAWA-TM-2005-193 — Technical Memorandum
Date of publication
01 Oct 2005
Number of Pages
46
DSTKIM No
CA027062
CANDIS No
525081
Format(s):
CD ROM

Permanent link

Document 1 of 1

Date modified: