Using a Deeper Understanding of Network Activities for Security Event Management

Mona Lange, Felix Kuhr, Ralf Möller

Abstract

With the growing deployment of host-based and network-based intrusion detection systems in increasingly large and complex communication networks, managing low-level alerts from these systems becomes critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators cannot manage the large number of alerts occurring per second, in particular since most alerts are false positives. Hence, an emerging track of security research has focused on alert correlation to better identify true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis (MONA). This method builds on data correlation to derive network dependencies and manage security events by linking incoming alerts to network dependencies
Original languageEnglish
JournalInternational Journal of Network Security & Its Applications (IJNSA)
Number of pages21
Publication statusPublished - 2016

DFG Research Classification Scheme

  • 409-06 Information Systems, Process and Knowledge Management

Fingerprint

Dive into the research topics of 'Using a Deeper Understanding of Network Activities for Security Event Management'. Together they form a unique fingerprint.

Cite this