Abstract. Until recently, network administrators manually arranged alarms produced by Intrusion Detection Systems (IDSs) to attain a highlevel description of threats. As the number of alarms is increasingly growing, automatic tools for alarm clustering have been proposed to provide such a high level description of the attack scenario. In addition, it has been shown that effective threat analysis require the fusion of different sources of information, such as different IDSs, firewall logs, etc. In this paper, we propose a new strategy to perform alarm clustering which produces unified descriptions of attacks from multiple alarms. Tests have been performed on a live network where commercial and open-source IDSs analyzed network traffic.

Abstract: An important task of alert correlation is the aggregation of alerts to provide a high-level view (i.e., the “big picture”) of malicious activity on the network. Unfortunately, when the correlation process receives false positives as input, the quality of the results can degrade significantly. Correlating alerts that refer to failed attacks can easily result in the detection of whole attack scenarios that are non-existent. The idea of alert verification is to discriminate between successful and failed intrusion attempts (both false and non-relevant positives). This is important for the correlation process, because, although a failed attack indicates malicious intent, it does not provide increased privileges or any additional information (other than that an attacker learned that the particular attack is ineffective). The goal of the alert verification component is to identify and appropriately tag (or even remove) alerts that represent failed attacks. This allows other correlation components to reduce the influence of these alerts on their decision process. This paper describes the different issues involved in alert verification and presents a tool that perform real-time verification of attacks detected by an intrusion detection system. The experimental evaluation of the tool shows that verification can dramatically reduce both false and non-relevant alerts. 1

Abstract not found

ontology-based approach to react

Abstract. This paper presents a semantic web-based architecture to share alerts among Security Information Management Systems (SIMS). Such architecture is useful if two or more SIMS from different domains need to know information about alerts happening in the other domains, which is useful for an early response to network incidents. For this, an ontology has been defined to describe the knowledge base of each SIMS that contains the security alerts. These knowledge bases can be queried from other SIMS, using standard semantic web protocols. Two modules have been implemented: one to insert the new security alerts in the knowledge base, and another one to query such knowledge bases. The performance of both modules has been evaluated, providing some results.

Nowadays security has an important role in communications. The major weakness in detection/prevention systems is that the power of them is restricted only to the network on which algorithms are applied. This paper presents a new method to solve the problem of their localities. We propose place snorts with the capability to convert detected attacks properties to semantic web forms (SWFs) in several verified servers in cloud computing infrastructure. The major advantage of this approach is that all intrusion detection/prevention systems in world can use SWFs to detect/prevent any attack well. We will evaluate this method and show that the resulted traffic is balanced by the time.

Vienna. Before that, he was working as

attack graphs, security metrics.