Skip to Main content Skip to Navigation
Theses

Une architecture semi-supervisée et adaptative pour le filtrage d'alarmes dans les systèmes de détection d'intrusions sur les réseaux

Abstract : We study the current limitations of systems processing alarms generated by network intrusion detection systems (NIDS ) and propose a new automatic approach that improves the filtering mechanism . Our main contributions are as follows: 1 . We have proposed an architecture of alarm filtering analyzing logs and NIDS alerts and trying to filter out false positives . 2 . We study the dynamic aspect of the proposed architecture . Processing real-time architecture poses several challenges in adapting this architecture in relation to changes that may occur over time . We have identified three problems to solve : (1) adapting the architecture towards the evolution of the monitored network, integration of new machinery, new routers , etc. , (2) adaptation of the architecture with respect to the emergence of new types of attacks and (3) adaptation of the architecture. with the appearance or sliding type behavior. To solve these problems , we use the concept of distance rejection proposed in pattern recognition and statistical hypothesis testing. All our proposals are implemented and led to experiments we describe throughout the document. These experiments use alarms generated by SNORT , an intrusion detection system based network - monitoring network of the Rectory of Rouen and is deployed in an operational environment . This is important for the validation of our architecture because it uses alarms from a real environment rather than a simulated environment or laboratory that may have significant limitations.
Document type :
Theses
Complete list of metadatas

Cited literature [178 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-00917605
Contributor : Philippe Leray <>
Submitted on : Thursday, December 12, 2013 - 10:13:20 AM
Last modification on : Friday, October 23, 2020 - 4:33:43 PM
Long-term archiving on: : Friday, March 14, 2014 - 11:01:04 AM

Identifiers

  • HAL Id : tel-00917605, version 1

Citation

Ahmad Faour. Une architecture semi-supervisée et adaptative pour le filtrage d'alarmes dans les systèmes de détection d'intrusions sur les réseaux. Apprentissage [cs.LG]. INSA de Rouen, 2007. Français. ⟨tel-00917605⟩

Share

Metrics

Record views

392

Files downloads

1385