Author

Jinqiao Yu

Date of Graduation

2004

Document Type

Thesis

Abstract

Intrusion detection system (IDS) is a software system or hardware device deployed to monitor network and host activities including data flows and information accesses etc. to capture suspicious activities. In recent years, IDS has begun to gain wide acceptance as a necessary and worthwhile investment in security. But current IDS products present many flaws including alert flooding, excessive false alerts, isolated alerts, lack of context awareness and security decision support etc. Many of these problems are severely hindering them from being used more efficiently in practice. To make the use of IDS products more efficient and generated alerts more accurate, this dissertation work—an intrusion detection alert management and analysis project, dubbed as TRINETR, has been developed at Concurrent Engineering Research Center of West Virginia University. A novel alert management and analysis architecture is presented in the project. The architecture is composed of three key parts: (1) Alert Aggregation, (2) Knowledge-based Alert Evaluation and Security Decision Support, and (3) Alert Correlation. The project is aimed at reducing alert overload by aggregating alerts from multiple sensors to generate condensed views, reducing false positive alerts by integrating network and host system information into alert evaluation process, providing appropriate security solution suggestions regarding the evaluated alerts to facilitate decision making, and correlating intrusion events to find the logical relations among them. Implementation and testing of a prototype system are also reported in this dissertation as well as a study of application of time series analysis approach to alert correlation.

Share

COinS