A Flexible Approach to Intrusion Alert Anonymization and Correlation
04.11.2014 Views
Share Embed Flag

A Flexible Approach to Intrusion Alert Anonymization and Correlation

A Flexible Approach to Intrusion Alert Anonymization and Correlation

A Flexible Approach to Intrusion Alert Anonymization and Correlation

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
discovery.csc.ncsu.edu

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Sadmind_Amslverify_Overflow67442<br />

Sadmind_Ping67341<br />

Sadmind_Amslverify_Overflow67430<br />

Sadmind_Amslverify_Overflow67438<br />

Rsh67562<br />

Sadmind_Amslverify_Overflow67428<br />

Sadmind_Amslverify_Overflow100091<br />

Email_Almail_Overflow67302<br />

Rsh67539<br />

Email_Almail_Overflow100025<br />

Email_Almail_Overflow67533<br />

Sadmind_Amslverify_Overflow100047<br />

Email_Almail_Overflow67525<br />

Sadmind_Amslverify_Overflow100105<br />

Sadmind_Amslverify_Overflow100009<br />

Email_Almail_Overflow67292<br />

Rsh67535<br />

Rsh67536<br />

Rsh67538<br />

Rsh67559<br />

Rsh67560<br />

Rsh100121<br />

Mstream_Zombie67563<br />

Mstream_Zombie67554<br />

Email_Almail_Overflow67529<br />

Rsh67558<br />

Sadmind_Amslverify_Overflow67440<br />

Sadmind_Amslverify_Overflow67432<br />

FTP_Syst67243<br />

Sadmind_Ping67343<br />

Sadmind_Amslverify_Overflow67436<br />

Rsh67553<br />

Email_Almail_Overflow67304<br />

Sadmind_Amslverify_Overflow67434<br />

Mstream_Zombie67777<br />

Mstream_Zombie67776<br />

Stream_DoS67773<br />

Rsh67542<br />

Sadmind_Amslverify_Overflow67422<br />

Rsh67540<br />

Sadmind_Amslverify_Overflow67417<br />

Sadmind_Ping67286<br />

Sadmind_Amslverify_Overflow67420<br />

Sadmind_Amslverify_Overflow67416<br />

Sadmind_Amslverify_Overflow67426<br />

Rsh67547<br />

Rsh67549<br />

Rsh67550<br />

Mstream_Zombie67767<br />

Sadmind_Amslverify_Overflow67424<br />

Rsh67546<br />

Mstream_Zombie67537<br />

Sadmind_Amslverify_Overflow100116<br />

Sadmind_Amslverify_Overflow100127<br />

Sadmind_Amslverify_Overflow100149<br />

Rsh67545<br />

Rsh67543<br />

Figure 2. An alert correlation graph in LLDOS 1.0 Inside data set<br />

LLDOS 1.0 LLDOS 2.0.2<br />

Inside DMZ Inside DMZ<br />

RealSecure # alerts 922 886 489 425<br />

<strong>Correlation</strong> for original sets # alerts 44 57 13 5<br />

<strong>Correlation</strong> for anonymized sets # original alerts 48 61 20 5<br />

# artificial alerts 9 3 2 0<br />

RealSecure Recall M r 61.67% 57.30% 80.00% 57.14%<br />

<strong>Correlation</strong> for original sets Recall M r 60.00% 56.18% 66.67% 42.86%<br />

<strong>Correlation</strong> for anonymized sets RecallM r 60.00% 56.18% 66.67% 42.86%<br />

RealSecure Precision M p 4.77% 6.43% 3.27% 1.41%<br />

<strong>Correlation</strong> for original sets Precision M p 93.18% 94.74% 76.92% 60.00%<br />

<strong>Correlation</strong> for anonymized sets Precision M p 77.19% 84.38% 45.45% 60.00%<br />

Table 3. Recall <strong>and</strong> precision measures in our experiments<br />

11

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!