Threat Evaluation Method for Distributed Network Environment.pdfVIP

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 22, 889-907 (2006) 889 Threat Evaluation Method for Distributed Network Environment KEUN-HEE HAN, IL-GON KIM, KANG-WON LEE, JIN-YOUNG CHOI + AND SANG-HUN JEON * Department of Computer Science and Engineering Korea University Seoul, 136-701 Korea * NHN Corporation, IT Security Team Kyunggido, 463-844 Korea The approach proposed in this paper involves the creation of a new algorithm for analyzing correlation alerts and providing the correct information regarding the detection of various types of security attacks, such as DDoS. It also enables the evaluation of the attack status, the degree of danger from the viewpoint of a managed network environ- ment and the assets protected by the security devices. This paper proposes an advanced ESM system (referred to as the “SIA System”), which is capable of grouping a large amount of alert messages, analyzing mixed attacks using correlation alert messages from each sensor and responding to security threats quickly, after classifying them into one of four different statuses. It was confirmed that this system implementation could identify and analyze all types of intrusion by attackers in a managed network. Therefore, it pro- vides a very effective means for security experts to cope with security threats in real time. Keywords: ESM (enterprise security management), Meta-IDS, SIM (security informa- tion management), SIA (security information alert), status evaluation logic 1. INTRODUCTION With the ever increasing use of the Internet by all types of companies, security threats such as attacks on enterprise infrastructure by hackers, the leakage of personal data and the infection of confidential business information caused by e-mail based vi- ruses, have become major issues in the security literature over the last few decades. Se- curity systems such as IDS (Intrusion Detection Systems) and Firewalls have been de- veloped to detect and protect