Please use this identifier to cite or link to this item:
Type: Artigo de periódico
Title: An Approach To The Correlation Of Security Events Based On Machine Learning Techniques
Author: Stroeh K.
Madeira E.R.M.
Goldenstein S.K.
Abstract: Organizations face the ever growing challenge of providing security within their IT infrastructures. Static approaches to security, such as perimetral defense, have proven less than effective - and, therefore, more vulnerable - in a new scenario characterized by increasingly complex systems and by the evolution and automation of cyber attacks. Moreover, dynamic detection of attacks through IDSs (Instrusion Detection Systems) presents too many false positives to be effective. This work presents an approach on how to collect and normalize, as well as how to fuse and classify, security alerts. This approach involves collecting alerts from different sources and normalizes them according to standardized structures - IDMEF (Intrusion Detection Message Exchange Format). The normalized alerts are grouped into meta-alerts (fusion, or clustering), which are later classified using machine learning techniques into attacks or false alarms. We validate and report an implementation of this approach against the DARPA Challenge and the Scan of the Month, using three different classifications - SVMs, Bayesian Networks and Decision Trees - having achieved high levels of attack detection with little false positives. Our results also indicate that our approach outperforms other works when it comes to detecting new kinds of attacks, making it more suitable to a world of evolving attacks. © 2013 Stroeh et al.
Editor: Springer-Verlag London Ltd
Rights: aberto
Identifier DOI: 10.1186/1869-0238-4-7
Date Issue: 2013
Appears in Collections:Unicamp - Artigos e Outros Documentos

Files in This Item:
File Description SizeFormat 
2-s2.0-84897423933.pdf1.58 MBAdobe PDFView/Open

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.