Event Data Exchange and Intrusion Alert Correlation in Heterogeneous Networks

Author:
Antti Hätälä, Camillo Särs, Ronja Addams-Moring, Teemupekka Virtanen
File Size:
251.23 kB
Date:
01 July 2004
Downloads:
1643 x

If we want to correlate alerts from various intrusion detection system (IDS) sources, its is necessary that the sources of alerts agree on what they actually are seeing, on how to report what they are seeing and on the amount of information they should report. In this paper, we review the Intrusion Detection Message Exchange Format (IDMEF) data model as an event data exchange mechanism and analyze how different correlation algorithms are being utilized in real-life systems. Based on these analyses, we propose a simple taxonomy of intrusion alert correlation algorithms, to complement the IDMEF data model.

Event Data Exchange and Intrusion Alert Correlation in Heterogeneous Networks