This article needs additional citations for verification. (October 2014) |
ACARM (Alert Correlation, Assessment and Reaction Module) is an open source intrusion detection system. It was developed as a part of POSITIF project between 2004 and 2007. It was written as a practical proof of concept, presented in the article.[1]
Original author(s) | Bartłomiej Balcerek Bartosz Szurgot Wojciech Waga Marcin Wojtkiewicz |
---|---|
Developer(s) | WCSS |
Initial release | 2008.04.01 |
Final release | 0.1.0
/ October 5, 2009 |
Written in | Java |
Operating system | cross-platform |
Successor | ACARM-ng |
Type | Intrusion-detection system |
License | GPL |
Website | http://www.acarm.wcss.wroc.pl (no longer available for download) |
Filters architecture
editThe following image shows chain-like architecture for filters, as used in the system.
Each alert enters each filter, stays there for a specified amount of time and proceeds further in chain. Main issue with such an approach is that alter can be reported only after its processing is done, which in turn takes at least few minutes.
Notes
editProject is no longer maintained. It has been replaced with new, plug-in-based ACARM-ng.
See also
editReferences
edit- ^ Valeur, F.; Vigna, G.; Kruegel, C.; Kemmerer, R.A. (2004). "Comprehensive approach to intrusion detection alert correlation". IEEE Transactions on Dependable and Secure Computing. 1 (3): 146–169. CiteSeerX 10.1.1.60.6872. doi:10.1109/TDSC.2004.21. S2CID 2603627.