Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by the high numbers of false alarms that affect them. As a consequence, system administrators,that have to manually manage an overwhelming amount of intrusion alerts, tend to decrease the alarm threshold or even to deactivate most NIDS functions. These weaknesses are frequently exploited by the attackers to avoid or to delay attackdetection.In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime lert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.

Selective alerts for run-time protection of distributed systems / Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco. - STAMPA. - (2008), pp. N/A-N/A. ((Intervento presentato al convegno Data Mining 2008 tenutosi a Cadiz, Spain nel 26 - 28 May 2008.

Selective alerts for run-time protection of distributed systems

COLAJANNI, Michele;GOZZI, Daniele;MARCHETTI, Mirco
2008

Abstract

Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by the high numbers of false alarms that affect them. As a consequence, system administrators,that have to manually manage an overwhelming amount of intrusion alerts, tend to decrease the alarm threshold or even to deactivate most NIDS functions. These weaknesses are frequently exploited by the attackers to avoid or to delay attackdetection.In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime lert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.
Data Mining 2008
Cadiz, Spain
26 - 28 May 2008
N/A
N/A
Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco
Selective alerts for run-time protection of distributed systems / Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco. - STAMPA. - (2008), pp. N/A-N/A. ((Intervento presentato al convegno Data Mining 2008 tenutosi a Cadiz, Spain nel 26 - 28 May 2008.
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11380/641693
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact