An efficient alert aggregation method based on conditional rough entropy and knowledge granularity

Abstract

With the emergence of network security issues, various security devices that generate a largenumberoflogsandalertsarewidelyused. Thispaperproposesanalertaggregationschemethat is based on conditional rough entropy and knowledge granularity to solve the problem of repetitive and redundant alert information in network security devices. Firstly, we use conditional rough entropy and knowledge granularity to determine the attribute weights. This method can determine the different important attributes and their weights for different types of attacks. Wecancalculatethe similarity value of two alerts by weighting based on the results of attribute weighting. Subsequently, the sliding time window method is used to aggregate the alerts whose similarity value is larger than a threshold, which is set to reduce the redundant alerts. Finally, the proposed scheme is applied to the CIC-IDS2018datasetandtheDARPA98dataset. Theexperimentalresultsshowthatthismethodcan e?ectively reduce the redundant alerts and improve the efficiency of data processing, thus providing accurate and concise data for the next stage of alert fusion and analysis.