الفهرس | Only 14 pages are availabe for public view |
Abstract The thesis purpose is to prove the possibility of improving both IDS Accuracy and IDS Completeness through reducing either False Positive or False Negative alerts using correlation between different available information sources in the system and network environment. The dissertation presents a modular framework for a Distributed Agent Correlation Model (DACM) for intrusion detection alerts and events in computer networks. The framework introduces a multi-agent distributed model in a hierarchical organization; correlates alerts from the IDS with attack signatures from information security tools and either system or application log files as other sources of information. The model has been implemented and tested using a set of datasets. Agent’s proposed models and algorithms have been implemented, analyzed, and evaluated to measure detection and correlation rates and reduction of false positive and false negative alerts. In conclusion, DACM enhances both the accuracy and completeness of intrusion detection compared with other published papers in same field. DACM is flexible, upgradable, and platform independent. It decreases the audit load and the time cost required to obtain effective situational understanding; Finally, DACM can be used as a real time system with minor modifications. |