Patrick, My suggestion is to use counters for several types of entities. Each IDS event will increment some counters with a given quantity, according to its severity. Then you use thresholds based on the pontuation of the entities in a given time interval. A entity that rises above the threshould triggers an alert and the events that caused the above-average pontuation are showed to the analyst for further investigation.
Some good entities can be: hosts, networks, applications, users, protocols. You can improve the system by monitoring traffic with netflows and generating events for abnormal traffic, also based on thresholds. Regards, -- Augusto Paes de Barros, CISSP-ISSAP(r) http://www.paesdebarros.com.br On 12 Aug 2005 05:18:36 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi There > > I am doing a project of applying data mining techniques to Intrusion > Detection systems. > > I am also interested in DECISION SUPPORT SYSTEM (Note that this is decision > SUPPORT system, not decision MAKING. So it does not make decision but SUPPORT > the decision making process.). So I decide to have DECISION SUPPORT SYSTEM as > a section of my project. > > The problem is that I dont know how to LINK Intrusion Detection to DECISION > SUPPORT SYSTEM. > > I thought: IDS can detect possible THREATS and this helps Network Admin to > make DECISION about the security level, or DO corrective ACTIONS. > > Can you give me some thoughts of HOW TO LINK/RELATE IDS to DECISION SUPPORT > SYSTEM? In the other words, how IDS can be considered as a DECISION SUPPORT > SYSTEM and are there any products relating to this topic in real world? > > Thanks > > Have a nice day > > Patrick Tran > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
