¡@

The approach proposed in this paper involves the creation of a new algorithm for analyzing correlation alerts and providing the correct information regarding the detection of various types of security attacks, such as DDoS. It also enables the evaluation of the attack status, the degree of danger from the viewpoint of a managed network environment and the assets protected by the security devices. This paper proposes an advanced ESM system (referred to as the ¡§SIA System¡¨), which is capable of grouping a large amount of alert messages, analyzing mixed attacks using correlation alert messages from each sensor and responding to security threats quickly, after classifying them into one of four different statuses. It was confirmed that this system implementation could identify and analyze all types of intrusion by attackers in a managed network. Therefore, it provides a very effective means for security experts to cope with security threats in real time.

Keywords: ESM (enterprise security management), Meta-IDS, SIM (security information management), SIA (security information alert), status evaluation logic

Retrieve PDF document (200607_10.pdf)

Received April 13, 2004; revised August 11 & December 27, 2004; accepted January 20, 2005.
Communicated by Ming-Syan Chen.
^* This paper was partially supported by the CICYT of the Spanish government, under project TIC2001-0547.