Vulnerabilities Analyzing Model for Alert Correlation in Distributed Environment

With the growing deployment of host and network intrusion detection systems, managing alerts from these systems becomes critically important. A promising approach is to develop a cooperation module between several IDS to achieve alerts correlation and generate more global and synthetic alerts. Some approaches (e.g. TIAA) have developed an available solution to correlate intrusion alerts using prerequisites of intrusions, which constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. The biggest defect of these approaches lies in the complexity of the relation of consequences so that the correlation graphs maybe very huge and unreadable. The phenomenon occurs mainly because these approach correlation all alerts on an equal footing, which arenpsilat consider the influencing factors of different alerts on the same information system. We propose a model to achieve alert correlation which supplies information about the vulnerabilities. Similar to TIAA, we use a hyper-alert type to encode our knowledge about each type of attacks. Our approach is differing with TIAA on the definition of hyper-alert type and correlation measure. In addition, our proposal has a relational database implements parts and the corresponding tables are automatically generated from data sources. IDS and vulnerability scanner fill the database with events.