An Adaptive Rule-Based Intrusion Alert Correlation Detection Method

Intrusion detection system (IDS) is a security layer that is used to discover ongoing intrusive attacks and anomaly activities in information systems and is usually working in a dynamically changing environment. Although increasing IDSs are developed in the literature, network security administrators are faced with the task of analyzing enormous alerts produced from the analysis of different event streams. The intrusion detection model needs to be continuously tuned in order to reduce correlative alerts and help the administrator to determine accurate and critical attacks. In this work, an alert correlation detection module is proposed to analyze the alerts produced by IDSs and provides a more succinct and overall view of intrusions. An automatically tuned IDS rules generation module based on fuzzy logic technique is used to block the highly correlative alerts. The experimental results reveal that the proposed work is effective in achieving alert reduction and abstraction.