Exchanging Security Events: Which And How Many Alerts Can We Aggregate?
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F17%3A00094466" target="_blank" >RIV/00216224:14610/17:00094466 - isvavai.cz</a>
Výsledek na webu
<a href="http://ieeexplore.ieee.org/document/7987340/" target="_blank" >http://ieeexplore.ieee.org/document/7987340/</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.23919/INM.2017.7987340" target="_blank" >10.23919/INM.2017.7987340</a>
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
Exchanging Security Events: Which And How Many Alerts Can We Aggregate?
Popis výsledku v původním jazyce
The exchange of security alerts is a current trend in network security and incident response. Alerts from network intrusion detection systems are shared among organizations so that it is possible to see the ''big picture'' of current security situation. However, the quality and redundancy of the input data seem to be underrated. We present four use cases of aggregation of the alerts from network intrusion detection systems. Alerts from a sharing platform deployed in the Czech national research and education network were examined in a case study. Volumes of raw and aggregated data are presented and a rule of thumb is proposed: up to 85 % of alerts can be aggregated. Finally, we discuss the practical implications of alert aggregation for the network intrusion detection system, such as (in)completeness of the alerts and optimal time windows for aggregation.
Název v anglickém jazyce
Exchanging Security Events: Which And How Many Alerts Can We Aggregate?
Popis výsledku anglicky
The exchange of security alerts is a current trend in network security and incident response. Alerts from network intrusion detection systems are shared among organizations so that it is possible to see the ''big picture'' of current security situation. However, the quality and redundancy of the input data seem to be underrated. We present four use cases of aggregation of the alerts from network intrusion detection systems. Alerts from a sharing platform deployed in the Czech national research and education network were examined in a case study. Volumes of raw and aggregated data are presented and a rule of thumb is proposed: up to 85 % of alerts can be aggregated. Finally, we discuss the practical implications of alert aggregation for the network intrusion detection system, such as (in)completeness of the alerts and optimal time windows for aggregation.
Klasifikace
Druh
D - Stať ve sborníku
CEP obor
—
OECD FORD obor
10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)
Návaznosti výsledku
Projekt
<a href="/cs/project/VI20162019029" target="_blank" >VI20162019029: Sdílení a analýza bezpečnostních událostí v ČR</a><br>
Návaznosti
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)
Ostatní
Rok uplatnění
2017
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Údaje specifické pro druh výsledku
Název statě ve sborníku
2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)
ISBN
9783901882890
ISSN
—
e-ISSN
—
Počet stran výsledku
4
Strana od-do
604-607
Název nakladatele
IEEE
Místo vydání
Lisbon
Místo konání akce
Lisbon
Datum konání akce
8. 5. 2017
Typ akce podle státní příslušnosti
WRD - Celosvětová akce
Kód UT WoS článku
—