An Improved Framework for Intrusion Alert Correlation

Alert correlation analyzes the alerts from one or more collaborative Intrusion Detection Systems (IDSs) to produce a concise overview of security-related activity on the network. The process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequence order of the correlation components affects the correlation process performance. The total time needed for the whole process depends on the number of processed alerts in each component. This paper proposes a new correlation framework based on a model that reduces the number of processed alerts as early as possible by discarding the irrelevant and false alerts in the first phases. A new component is added to deal with the unrelated alerts. A modified algorithm for fusing the alerts is also proposed. The intruders’ intention is grouped into attack scenarios and thus used to detect future attacks. The contribution of this paper includes an enhanced new framework for alert correlation, the implementation of the alert correlator model based on the framework, and the evaluation of the model using the DARPA 2000 intrusion detection scenario specific datasets. The experimental results show that the correlation model is effective in achieving alert reduction and abstraction. The performance is improved after the attention is focused on correlating higher severity alerts.