Enhanced Alert Correlation Framework for Heterogeneous Log

Yusof, R. and Selamat, S. R. and Sahib, S. and Mas'ud, M. Z. and Abdollah, M. F. (2011) Enhanced Alert Correlation Framework for Heterogeneous Log. In: The International Conference on Informatics Engineering & Information Science (ICIEIS2011), Nov. 14-16, 2011, University Technology Malaysia, KL Malaysia. (In Press)

Enhanced_ACF_for_Heterogeneous_log-id_47_camera_ready.pdf - Accepted Version

Download (515kB)
Official URL: http://www.sdiwc.net/kl/


Management of intrusion alarms particularly in identifying malware attack is becoming more demanding due to large amount of alert produced by low-level detectors. Alert correlation can provide high-level view of intrusion alerts but incapable of handling large amount of alarm. This paper proposes an enhanced Alert Correlation Framework for sensors and heterogeneous log. It can reduce the large amount of false alarm and identify the perspective of the attack. This framework is mainly focusing on the alert correlation module which consists of Alarm Thread Reconstruction, Log Thread Reconstruction, Attack Session Reconstruction, Alarm Merging and Attack Pattern Identification module. It is evaluated using metric for effectiveness that shows high correlation rate, reduction rate, identification rate and low misclassification rate. Meanwhile in statistical validation it has highly significance result with p < 0.05. This enhanced Alert Correlation Framework can be extended into research areas in alert correlation and computer forensic investigation.

Item Type: Conference or Workshop Item (Paper)
Subjects: Q Science > Q Science (General)
Divisions: Faculty of Information and Communication Technology > Department of System and Computer Communication
Depositing User: Dr. Robiah Yusof
Date Deposited: 24 Aug 2011 03:41
Last Modified: 28 May 2015 02:16
URI: http://eprints.utem.edu.my/id/eprint/80
Statistic Details: View Download Statistic

Actions (login required)

View Item View Item