Abstract |
: |
IDS for computer network is capable of detecting and alerting the systems administrator on potential intrusion, providing guidance against any potential loss of integrity and confidentiality to the enterprise’s valuable intellectual assets. In this paper, the layered model for IDS and alert aggregation technique is used. In this layered IDS architecture, each layer assesses, filters, and/or aggregates information produced by a lower layer. Thus, relevant information gets more and more condensed and certain, and, therefore, also more valuable. Alert may originate from low-level IDS such as those mentioned above, from firewalls (FW), etc. Alerts that belong to one attack instance must be clustered together and meta-alerts must be generated. The main goal is to improve performance by reducing the amount of alerts substantially without losing any important information which is necessary to identify ongoing attack instances. |