Research Article
Intrusion Alert Correlation based on D-S Evidence Theory
@INPROCEEDINGS{10.1109/CHINACOM.2007.4469406, author={Mei Haibin and Gong Jian}, title={Intrusion Alert Correlation based on D-S Evidence Theory}, proceedings={2nd International ICST Conference on Communications and Networking in China}, publisher={IEEE}, proceedings_a={CHINACOM}, year={2008}, month={3}, keywords={D-S evidence theory alert correlation intrsion detection system network security}, doi={10.1109/CHINACOM.2007.4469406} }- Mei Haibin
Gong Jian
Year: 2008
Intrusion Alert Correlation based on D-S Evidence Theory
CHINACOM
IEEE
DOI: 10.1109/CHINACOM.2007.4469406
Abstract
Current intrusion detection systems (IDSs) often trigger a large amount of alerts, most of which are redundant alerts and false positives. Consequently, it is difficult for administrators to understand the alerts and take appropriate actions. Several alert correlation methods have been proposed. However, these methods don't consider the differences in reliability among alerts reported from multiple IDSs. This paper presents a novel alert correlation approach based on the Dempster-Shafer evidence theory, which regards the alerts as evidence of network attack and combines all the evidence according to the Dempster's combination rule, inferring whether the attack has taken place. The main advantage of the approach is that it can eliminate the ambiguity and confliction in alerts and reduce the number of alerts. With the DARPA 2000 test dataset, experimental results demonstrate that the approach can reduce more than 69% of reported alerts and decrease the false positive rate efficiently.