USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENT
Mona Lange1, Felix Kuhr2 and Ralf Möller1
1Institute of Information Systems, Universitat zu Lubeck, 2Technical Universitat Hamburg-Harburg, Germany
ABSTRACT
With the growing deployment of host-based and network-based intrusion detection systems in increasingly large and complex communication networks, managing low-level alerts from these systems becomes critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators cannot manage the large number of alerts occurring per second, in particular since most alerts are false positives. Hence, an emerging track of security research has focused on alert correlation to better identify true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis (MONA). This method builds on data correlation to derive network dependencies and manage security events by linking incoming alerts to network dependencies.
KEYWORDS
Network Dependency Analysis, Security Event Management, Data Correlation
ORIGINAL SOURCE URL : http://aircconline.com/ijnsa/V8N3/8316ijnsa01.pdf
No comments:
Post a Comment