Method of automatically classifying a set of alarms emitted by sensors for detecting intrusions of an information security system
First Claim
1. A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . an) belonging to a plurality of attribute domains (A1, . . . , An) each of which has a partial order relationship, which method comprises the following steps:
- organizing the attributes belonging to each attribute domain into a hierarchical structure including levels defined in accordance with the partial order relationship of the attribute domain, the attribute domains thus forming hierarchical structures;
constructing for each alert issued by the intrusion detection sensors (11a, 11b, 11c) a trellis specific to that alert by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure, the specific trellis including nodes corresponding to alerts linked to each other by arcs so that each node is linked to one or more parent nodes and/or to one or more child or descendant nodes;
iteratively merging each specific trellis into a general trellis;
identifying collated alerts in the general trellis by selecting the alerts that are simultaneously the most pertinent and the most general in accordance with statistical criteria and according to their attributes belonging to lower levels of the hierarchical structures; and
supplying the collated alerts to an output unit (23) of an alert management system (13) in order to provide an overview of all the alerts issued by the intrusion detection sensors (11a, 11b, 11c).
1 Assignment
0 Petitions
Accused Products
Abstract
A of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).
-
Citations
9 Claims
-
1. A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . an) belonging to a plurality of attribute domains (A1, . . . , An) each of which has a partial order relationship, which method comprises the following steps:
-
organizing the attributes belonging to each attribute domain into a hierarchical structure including levels defined in accordance with the partial order relationship of the attribute domain, the attribute domains thus forming hierarchical structures;
constructing for each alert issued by the intrusion detection sensors (11a, 11b, 11c) a trellis specific to that alert by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure, the specific trellis including nodes corresponding to alerts linked to each other by arcs so that each node is linked to one or more parent nodes and/or to one or more child or descendant nodes;
iteratively merging each specific trellis into a general trellis;
identifying collated alerts in the general trellis by selecting the alerts that are simultaneously the most pertinent and the most general in accordance with statistical criteria and according to their attributes belonging to lower levels of the hierarchical structures; and
supplying the collated alerts to an output unit (23) of an alert management system (13) in order to provide an overview of all the alerts issued by the intrusion detection sensors (11a, 11b, 11c). - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. Alert management system for automatically classifying alerts issued by intrusion detection sensors for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An) each of which has a partial order relationship, which system comprises:
-
processor means for organizing the attributes belonging to each attribute domain into a hierarchical structure including levels defined in accordance with the partial order relationship of the attribute domain, the attribute domains thus forming hierarchical structures;
processor means for constructing for each alert issued by the intrusion detection sensors a trellis specific to that alert by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure, the specific trellis including nodes corresponding to alerts linked to each other by arcs so that each node is linked to one or more parent nodes and/or to one or more child or descendant nodes;
processor means for iteratively merging each specific trellis into a general trellis;
processor means for identifying collated alerts in the general trellis by selecting the alerts that are simultaneously the most pertinent and the most general in accordance with statistical criteria and according to their attributes belonging to lower levels of the hierarchical structures; and
processor means for supplying the collated alerts to an output unit (23) in order to provide an overview of all the alerts issued by the intrusion detection sensors. - View Dependent Claims (9)
-
Specification