17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

Managing alerts in a multi-intrusion detection environment

Frédéric Cuppens

There are several approaches for intrusion detection but none of them is fully satisfactory. They generally generate too many false positives and the alerts are too elementary and not enough accurate to be directly managed by a security administrator. A promising approach is to develop a cooperation module to analyze alerts and to generate more global and synthetic alerts. This paper presents the work we did in this context within the MIRADOR project. We suggest specifications for three functions: alert base management, alert clustering and alert merging. The approach is compliant with the IDMEF format currently being defined at the IETF.

Keywords: Intrusion Detection System, IDMEF, cooperative intrusion detection, alert clustering, alert merging

Read Paper Read Paper (in PDF)