Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by the high numbers of false alarms that affect them. As a consequence, system administrators,that have to manually manage an overwhelming amount of intrusion alerts, tend to decrease the alarm threshold or even to deactivate most NIDS functions. These weaknesses are frequently exploited by the attackers to avoid or to delay attackdetection.In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime lert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.
Selective alerts for run-time protection of distributed systems / Colajanni, Michele; Gozzi, Daniele; Marchetti, Mirco. - STAMPA. - 40:(2008), pp. 287-296. (Intervento presentato al convegno 9th International Conference on Data Mining, Protection, Detection and other Security Technologies, Data Mining 2008 tenutosi a Cadiz, esp nel 26 - 28 May 2008) [10.2495/DATA080271].
Selective alerts for run-time protection of distributed systems
COLAJANNI, Michele;GOZZI, Daniele;MARCHETTI, Mirco
2008
Abstract
Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by the high numbers of false alarms that affect them. As a consequence, system administrators,that have to manually manage an overwhelming amount of intrusion alerts, tend to decrease the alarm threshold or even to deactivate most NIDS functions. These weaknesses are frequently exploited by the attackers to avoid or to delay attackdetection.In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime lert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks.
Pubblicazioni consigliate
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris
