Alert Correlation through Triggering Events and Common Resources

12 years 5 months ago
Alert Correlation through Triggering Events and Common Resources
Complementary security systems are widely deployed in networks to protect digital assets. Alert correlation is essential to understanding the security threats and taking appropriate actions. This paper proposes a novel correlation approach based on triggering events and common resources. One of the key concepts in our approach is triggering events, which are the (low-level) events that trigger alerts. By grouping alerts that share "similar" triggering events, a set of alerts can be partitioned into different clusters such that the alerts in the same cluster may correspond to the same attack. Our approach further examines whether the alerts in each cluster are consistent with relevant network and host configurations, which help analysts to partially identify the severity of alerts and clusters. The other key concept in our approach is input and output resources. Intuitively, input resources are the necessary resources for an attack to succeed, and output resources are the res...
Dingbang Xu, Peng Ning
Added 20 Aug 2010
Updated 20 Aug 2010
Type Conference
Year 2004
Authors Dingbang Xu, Peng Ning
Comments (0)