![]() The third phase deals with identification by means of an experience-based model. ![]() ![]() This means correlating all the data collected in the previous phase to the end of providing an attack description in terms of sequence of events as complete as possible. The second phase deals with alarm correlation. This means collecting data from several sensors on the network and on computers, e.g., log files of operating systems and system servers, firewalls, (network-, host-, application- based) IDSs. The first phase deals with intrusion detection. In our approach, the attack identification and response can be fulfilled in four distinct phases. Therefore, according to our meaning, an attack is a sequence of intrusions. Each phase involves different methods and different goals. In our work, an intrusion is a detectable atomic action performed by an attacker against a given target, whereas an attack may go through several phases. Nevertheless, most of the work focuses on the detection and the identification of intrusions instead of attack identification and response. These activities have received a great attention by the research community and by several organizations (e.g., ISO/IEC and CERT). This paper presents a tool for attack detection, attack identification and attack response.
0 Comments
Leave a Reply. |