Correlating alerts into compressed graphs using an attribute-based method and time windows

Abstract

Intrusion Detection Systems usually report a huge number of alerts every day. Since abstraction level of these alerts is very low, analyzing and discovering the attack strategies behind the alerts are not easy or even possible. Alert correlation methods have been developed to decrease the number of alerts and provide a high-level abstraction of them. In this paper, we propose a method to estimate correlation probabilities between alerts. The concept of time windows is applied in a special way to decrease the complexity and increase the accuracy as well. Besides, we suggest a compression method for more reduction in the number of comparisons needed for correlating alerts and making the output of the method more intelligible. Our experiments reveal while the proposed correlation method performs accurately, its complexity dropped noticeably compared to previous methods. © 2009 Springer-Verlag Berlin Heidelberg.