By Topic

A Novelty-Driven Approach to Intrusion Alert Correlation Based on Distributed Hash Tables

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Alexander Hofmann ; University of Passau, Faculty of Computer Science and Mathematics, 94030 Passau, Germany. ; Ivan Dedinski ; Bernhard Sick ; Hermann de Meer

Distributed intrusion detection and prevention plays an increasingly important role in securing computer networks. In a distributed intrusion detection system, alerts or high-level meta-alerts are exchanged, aggregated, and correlated in a cooperative fashion to overcome the limitations of conventional intrusion detection systems. Substantial progress has been made, but current systems still suffer from various drawbacks: Most of them only distribute the data collection and not the analysis itself or they rely on a hierarchical or even centralized organization and/or communication architecture. Furthermore, the alerts or meta-alerts are usually aggregated at a pre-defined location and there is no reduction of the vast amount of alerts prior to distribution. Consequently, scalability is limited and any central component in the architecture introduces a "single point of failure ". We propose a completely distributed intrusion detection system based on distributed hash tables to efficiently exchange and aggregate alerts and meta-alerts in a cooperative, self-organizing, and load-balanced way. Independent intrusion detection agents publish their alerts based on a new novelty measure for alerts which prohibits the distribution of already known and hence worthless knowledge. The benefits of our approach are evaluated for a well-known probing attack.

Published in:

Computers and Communications, 2007. ISCC 2007. 12th IEEE Symposium on

Date of Conference:

1-4 July 2007