{"title":"Privacy-preserving alert correlation: a concept hierarchy based approach","authors":"Dingbang Xu, P. Ning","doi":"10.1109/CSAC.2005.45","DOIUrl":null,"url":null,"abstract":"With the increasing security threats from infrastructure attacks such as worms and distributed denial of service attacks, it is clear that the cooperation among different organizations is necessary to defend against these attacks. However, organizations' privacy concerns for the incident and security alert data require that sensitive data be sanitized before they are shared with other organizations. Such sanitization process usually has negative impacts on intrusion analysis (such as alert correlation). To balance the privacy requirements and the need for intrusion analysis, we propose a privacy-preserving alert correlation approach based on concept hierarchies. Our approach consists of two phases. The first phase is entropy guided alert sanitization, where sensitive alert attributes are generalized to high-level concepts to introduce uncertainty into the dataset with partial semantics. To balance the privacy and the usability of alert data, we propose to guide the alert sanitization process with the entropy or differential entropy of sanitized attributes. The second phase is sanitized alert correlation. We focus on defining similarity functions between sanitized attributes and building attack scenarios from sanitized alerts. Our preliminary experimental results demonstrate the effectiveness of the proposed techniques","PeriodicalId":422994,"journal":{"name":"21st Annual Computer Security Applications Conference (ACSAC'05)","volume":"436 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"21st Annual Computer Security Applications Conference (ACSAC'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSAC.2005.45","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 49
Abstract
With the increasing security threats from infrastructure attacks such as worms and distributed denial of service attacks, it is clear that the cooperation among different organizations is necessary to defend against these attacks. However, organizations' privacy concerns for the incident and security alert data require that sensitive data be sanitized before they are shared with other organizations. Such sanitization process usually has negative impacts on intrusion analysis (such as alert correlation). To balance the privacy requirements and the need for intrusion analysis, we propose a privacy-preserving alert correlation approach based on concept hierarchies. Our approach consists of two phases. The first phase is entropy guided alert sanitization, where sensitive alert attributes are generalized to high-level concepts to introduce uncertainty into the dataset with partial semantics. To balance the privacy and the usability of alert data, we propose to guide the alert sanitization process with the entropy or differential entropy of sanitized attributes. The second phase is sanitized alert correlation. We focus on defining similarity functions between sanitized attributes and building attack scenarios from sanitized alerts. Our preliminary experimental results demonstrate the effectiveness of the proposed techniques
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
