Anomaly-based detection techniques have a high number of false positives, which degrades the detection performance. To address this issue, we propose a distributed intrusion detection system, named ISM-AC, based on anomaly detection using artificial immune system and attack graph correlation. To analyze network traffic, we use negative selection, clonal selection, and immune network algorithms to implement an agent-based detection system. ISM-AC leverages the programmability of software-defined networking to reduce the false positive rate. Our findings show that ISM-AC achieves better detection performance for denial of service, user to root, remote to local, and probe attack classes. Alert correlation plays a key role in this achievement.
ISM-AC: an immune security model based on alert correlation and software-defined networking / Melo, R. V.; de Macedo, D. D. J.; Kreutz, D.; De Benedictis, A.; Fiorenza, M. M.. - In: INTERNATIONAL JOURNAL OF INFORMATION SECURITY. - ISSN 1615-5262. - 21:2(2022), pp. 191-205. [10.1007/s10207-021-00550-x]
ISM-AC: an immune security model based on alert correlation and software-defined networking
De Benedictis A.;
2022
Abstract
Anomaly-based detection techniques have a high number of false positives, which degrades the detection performance. To address this issue, we propose a distributed intrusion detection system, named ISM-AC, based on anomaly detection using artificial immune system and attack graph correlation. To analyze network traffic, we use negative selection, clonal selection, and immune network algorithms to implement an agent-based detection system. ISM-AC leverages the programmability of software-defined networking to reduce the false positive rate. Our findings show that ISM-AC achieves better detection performance for denial of service, user to root, remote to local, and probe attack classes. Alert correlation plays a key role in this achievement.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
