Abstract:
Intrusion detection systems are receiving considerable attention and serving as an indispensable fortification for shielding networks against attackers. To improve the effectiveness of intrusion detection systems, distributed schemes are developed and implemented in real networks. The distributed schemes are classified into two major principles on the basis of data collection and detection engines. Both of them generate a mass of alerts and false positives that flood the administrators and thus impair the effectiveness of IDS. A two-stage real time solution based on DBTCAN (density-based time clustering of application with noise) algorithm is presented for alert aggregation and correlation in distributed contexts. The effectiveness of the approach and prototype on the intrusion detection evaluation dataset is demonstrated, where attacks can be detected more accurately with a low rate of false alarms and more succinct and informative alerts can be provided for administrators with the redundant alarms greatly reduced. The comparative experiments and analysis show that the approach is effective in distributed probing detection and the system gives better results in real time detection.