E. Pontes, A. Guelfi, S. Kofuji, Anderson A. A. Silva
{"title":"Applying multi-correlation for improving forecasting in cyber security","authors":"E. Pontes, A. Guelfi, S. Kofuji, Anderson A. A. Silva","doi":"10.1109/ICDIM.2011.6093323","DOIUrl":null,"url":null,"abstract":"Currently, defense of the cyber space is mostly based on detection and/or blocking of attacks (Intrusion Detection and Prevention System — IDPS). But, a significant improvement for IDPS is the employment of forecasting techniques in a Distributed Intrusion Forecasting System (DIFS), which enables the capability for predicting attacks. Notwithstanding, during our earlier works, one of the issues we have faced was the huge amount of alerts produced by IDPS, several of them were false positives. Checking the veracity of alerts through other sources (multi-correlation), e.g. logs taken from the operating system (OS), is a way of reducing the number of false alerts, and, therefore, improving data (historical series) to be used by the DIFS. The goal of this paper is to propose a two stage system which allows: (1) employment of an Event Analysis System (EAS) for making multi-correlation between alerts from an IDPS with the OS' logs; and (2) applying forecasting techniques on data generated by the EAS. Tests applied on laboratory by the use of the two stage system allow concluding about the improvement of the historical series reliability, and the consequent improvement of the forecasts accuracy.","PeriodicalId":355775,"journal":{"name":"2011 Sixth International Conference on Digital Information Management","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 Sixth International Conference on Digital Information Management","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICDIM.2011.6093323","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10
Abstract
Currently, defense of the cyber space is mostly based on detection and/or blocking of attacks (Intrusion Detection and Prevention System — IDPS). But, a significant improvement for IDPS is the employment of forecasting techniques in a Distributed Intrusion Forecasting System (DIFS), which enables the capability for predicting attacks. Notwithstanding, during our earlier works, one of the issues we have faced was the huge amount of alerts produced by IDPS, several of them were false positives. Checking the veracity of alerts through other sources (multi-correlation), e.g. logs taken from the operating system (OS), is a way of reducing the number of false alerts, and, therefore, improving data (historical series) to be used by the DIFS. The goal of this paper is to propose a two stage system which allows: (1) employment of an Event Analysis System (EAS) for making multi-correlation between alerts from an IDPS with the OS' logs; and (2) applying forecasting techniques on data generated by the EAS. Tests applied on laboratory by the use of the two stage system allow concluding about the improvement of the historical series reliability, and the consequent improvement of the forecasts accuracy.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
