Current techniques employed in security alert correlation area for multi-step attack recognition purpose are intricate to be performed due to the complexity of the methods and huge computing workload generated during alert analysis and processing. In this paper, we proposed a new method of alert correlation aiming at providing concentrated security event information and thus finding multi-step ...

It is 17 years since Dorothy Denning proposed the first intrusion detection model. These systems have evolved rapidly from that model to present alarm correlation methods. Up to the moment, researchers have developed Intrusion Detection Systems (IDS) capable of detecting attacks in several environments. A boundlessness of methods for misuse detection as well as anomaly detection has been applie...

An intrusion detection system (IDS) is a security layer that is used to discover ongoing intrusive attacks and anomalous activities in information systems, which means usually working in a dynamically changing environment. Although increasing attention to IDSs is evident in the literature, network security administrators are still faced with the task of analyzing enormous numbers of alerts prod...

The notion of event correlation has been around for some time. Most recently, event correlation has gotten a significant amount of attention in the intrusion detection community under the topic of alert correlation. The principles behind event correlation, however, can also be used to relate events in seemingly heterogeneous domains such as access control and intrusion detection. To address the...

Alert correlation is a set of techniques that process alerts raised by intrusion detection systems to eliminate redundant alerts, reduce the number false positives, and reconstruct attack scenarios. Since Industrial Control Systems (ICSs) exhibit both physical cyber domain, they present unique challenges for alert correlation. The presence heterogeneous domains each with its specific threats ha...

Intrusion detection is an important security tool. It has the possibility to provide valuable information about the current status of security. However, as enterprises deploy multiple intrusion detection sensors at key points in their networks, the issue of correlating messages from these sensors becomes increasingly important. A correlation capability reduces alert volume, and potentially impr...

Intrusion detection systems (IDS) often provide poor quality alerts, which are insufficient to support rapid identification of ongoing attacks or predict an intruder’s next likely goal. In this paper, we propose a novel approach to alert postprocessing and correlation, the Hidden Colored Petri-Net (HCPN). Different from most other alert correlation methods, our approach treats the alert correla...

Decision support for 24/7 enterprises requires 24/7 available Data Warehouses (DWs). In this context, web-based connections to DWs are used by business management applications demanding continuous availability. Given that DWs store highly sensitive business data, a web-based connection provides a door for outside attackers and thus, creates a main security issue. Database Intrusion Detection Sy...