Improving Intrusion Detection through Alert Verification

Thomas Heyman, Bart De Win, Christophe Huygens, Wouter Joosen

2006

Abstract

Intrusion detection systems (IDS) suffer from a lack of scalability. Alert correlation has been introduced to address this challenge and is generally considered to be the major part of the solution. One of the steps in the correlation process is the verification of alerts. We have identified the relationships and interactions between correlation and verification. An overview of verification tests proposed in literature is presented and refined. Our contribution is to integrate these tests in an extensible generic framework for verification that enables further experimentation. A proof-of-concept implementation is presented and a first evaluation is made. We conclude that verification is a viable extension to the intrusion detection process. Its effectiveness is highly dependent on contextual information.

Download


Paper Citation


in Harvard Style

Heyman T., De Win B., Huygens C. and Joosen W. (2006). Improving Intrusion Detection through Alert Verification . In Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006) ISBN 978-972-8865-52-8, pages 207-216. DOI: 10.5220/0002499602070216


in Bibtex Style

@conference{wosis06,
author={Thomas Heyman and Bart De Win and Christophe Huygens and Wouter Joosen},
title={Improving Intrusion Detection through Alert Verification},
booktitle={Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)},
year={2006},
pages={207-216},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002499602070216},
isbn={978-972-8865-52-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 4th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2006)
TI - Improving Intrusion Detection through Alert Verification
SN - 978-972-8865-52-8
AU - Heyman T.
AU - De Win B.
AU - Huygens C.
AU - Joosen W.
PY - 2006
SP - 207
EP - 216
DO - 10.5220/0002499602070216