Mona
Lange1, Felix Kuhr2 and Ralf Möller1
1Institute
of Information Systems, Universitat zu Lubeck,
2Technical
Universitat Hamburg-Harburg, Germany
ABSTRACT
With
the growing deployment of host-based and network-based intrusion detection
systems in increasingly large and complex communication networks, managing
low-level alerts from these systems becomes critically important. Probes of
multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion
prevention systems (IPSs) are collected throughout a monitored network such
that large series of alerts (alert streams) need to be fused. An alert
indicates an abnormal behavior, which could potentially be a sign for an
ongoing cyber attack. Unfortunately, in a real data communication network,
administrators cannot manage the large number of alerts occurring per second,
in particular since most alerts are false positives. Hence, an emerging track
of security research has focused on alert correlation to better identify true
positive and false positive. To achieve this goal we introduce Mission Oriented
Network Analysis (MONA). This method builds on data correlation to derive
network dependencies and manage security events by linking incoming alerts to
network dependencies.
KEYWORDS
Network
Dependency Analysis, Security Event Management, Data Correlation
No comments:
Post a Comment