Real-time intrusion detection alert correlation
Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. In addition, existing systems do not have the real-time performance needed to perform online alert correlation.
AlertSTAT includes a general correlation model that includes a comprehensive set of components and a real-time correlation tool based on this model. The tool has been applied to a number of intrusion detection datasets to identify how each component contributes to the overall goals of correlation and to validate the real-time performance of the tool. The results of these experiments show that the correlation tool is effective in achieving alert reduction and abstraction while operating in real-time
2006 (2 publications)
Real-Time Intrusion Detection Alert Correlation
2005 (1 publication)
Intrusion Detection and Correlation: Challenges and Solutions
2004 (1 publication)
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing, 2004
This research was supported by the Army Research Laboratory and the Army Research Office, under agreement DAAD19-01-1-0484.