An Alert Correlation Method Based on Improved Cluster Algorithm

In the past several years, the alert correlation methods have been advocated to discover high-level attack scenarios by correlating the low-level alerts. The causal correlation method based on prerequisites and consequences has great advantages in the process of correlating alerts. But it must depend on complicated background knowledge base and has some limits in discovering new attacks. The cluster can aggregate the relational alerts by computing the similarity between alert attributes, as well as can discover new and simple high-level attacks. However, it is difficult to establish the attribute weights in the similarity membership function of two alerts and the threshold of classification similarity value. In order to solve the problem, the quantum-behaved particle swarm optimization algorithm is used to optimize the weights and similarity value. In view of the advantages and disadvantages of cluster and correlation, this paper uses improved cluster algorithm to optimize correlation in the process of attack detection. The experimental results on LLS DDoS1.0 prove that the method proposed is useful and effective.