Title: An agent-based framework for intrusion detection alert verification and event correlation

Authors: Benjamin Uphoff, Johnny S. Wong

Addresses: Los Alamos National Laboratory, Los Alamos, NM, USA. ' Department of Computer Science, Iowa State University, Ames, Iowa, USA

Abstract: In this paper, we present a framework design and implementation that provides a scalable solution for two important components of alert correlation: alert verification and event correlation. In our framework, a broker application maintains a database containing IDS alerts while software agents perform alert verification and event correlation of alert instances. Agents are designed to run on multiple hosts to ensure scalability of complex tasks. Agents communicate with the broker via web service architecture, making them easy to build and deploy in heterogeneous networks. Three IDSs are supported to show that the framework can be applied to differing IDS paradigms.

Keywords: IDS; intrusion detection systems; alert correlation; alert verification; event correlation; software agents; web service; brokers; intrusion alert; agent-based systems; web service architecture; web services; network security.

DOI: 10.1504/IJSN.2008.020093

International Journal of Security and Networks, 2008 Vol.3 No.3, pp.193 - 200

Published online: 26 Aug 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article