Description
Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. In addition, existing systems do not have the real-time performance needed to perform online alert correlation.
AlertSTAT includes a general correlation model that includes a comprehensive set of components and a real-time correlation tool based on this model. The tool has been applied to a number of intrusion detection datasets to identify how each component contributes to the overall goals of correlation and to validate the real-time performance of the tool. The results of these experiments show that the correlation tool is effective in achieving alert reduction and abstraction while operating in real-time
Publications
-
, "Using Hidden Markov Models to Evaluate the Risk of Intrusions", in Proceedings of the 9th Symposium on Recent Advances in Intrusion Detection (RAID), Springer Verlag, Hamburg, Germany, September 2006. [BibTeX]
People
-
Fredrik Valeur
Acknowledgments
This research was supported by the Army Research Laboratory and the Army Research Office, under agreement DAAD19-01-1-0484.