Exploiting diversity and correlation to improve the performance of intrusion detection systems

Intrusion Detection Systems (IDSs) are one of the most widely used technologies for computer security. Regrettably, current solutions are far from perfect, since they either produce a large number of false positives or they can only detect already known attacks. Correlation of information from diverse sources has been proven to be an effective approach for improving IDS performance, i.e. achieving high detection while reducing false positives. In this paper, we propose an IDS solution correlating attack symptoms from diverse information sources, which are collected at different architectural levels, and particularly the network, the DBMS, and the application level. We present an ontology-based approach to correlation, and describe how it can be implemented as a distributed, highly scalable system. The paper contains a thorough discussion of the key issues that we have addressed, and of the technological choices that we have made.