« Connection-history based anomaly detection | Main | CARDS: A distributed system for detecting coordinated attacks »
Correlation between NetFlow System and Network Views for Intrusion Detection
This approach, marrying network data from NetFlow, together with system alerts is becoming a reality in the security marketplace. It is the marriage of a traffic monitoring tool and a SEM (or SIM) platform.We present several ways to correlate security events from two applications that visualize the same underlying data with two distinct views: system and network. Correlation of security events provide Security Engineers a better understanding of what is happening for enhanced security situational awareness. Visualization leverages human cognitive abilities and promotes quick mental connections between events that otherwise may be obscured in the volume of IDS alert messages.Source: Correlation between NetFlow System and Network Views for Intrusion Detection, Cristina Abad, Yifan Li, Kiran Lakkaraju, Xiaoxin Yin, and William Yurcik.
July 20, 2005 in detection, ids, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
I guess Netflow is the correct approach in some cases. However, I just think there are too many disadvantages with it. I have pointed out some of them here: http://esphion.blogs.com/esphion/2005/07/more_problems_w.html
I think that a packet-based approach to anomaly detection and analysis is preferable for all those reasons.
Once you have anomalies detected with a packet-based approach, you can still correlate with output from other devices, of course.
Juergen
Posted by: Juergen Brendel | Jul 20, 2005 2:41:24 PM
To gain the better understanding of correlation between system and network, engineers need to be fully familiar with the understanding of statistical tools such as correlation.
Posted by: John | Jan 17, 2007 1:35:32 AM
Hm, interesting post. Currently I am trying to develop a Netflow system using flow tools and database as well. If I am not mistaken, Netflow is great for aberrant network behavior isn't it?
How does it views intrusion?
Posted by: sodut | Nov 4, 2008 6:12:27 PM
The comments to this entry are closed.
