Alert Correlation Model Design Based on Self-regulate

The multi-step attack is one of the primary forms of the current network intrusions. How to detect these attacks is an important aspect of IDS (Intrusion Detection System) research. The correlation research in intrusion detection performs mainly on the following aspects: reducing the false alert rate and omission rate; detecting unknown attacks; attack forecasting. Especially the development of the third point perhaps improves the passive detection to the active protection. Through the study on patterns of the multi-step attack, a model of alert correlation which is based on self-regulate is designed. This paper describes the definition and classification of alert correlation. Also it introduces the association rules. To improve efficiency of IDS, the paper applies data mining technology to IDS In the paper we present a method of how to acquire the intrusion knowledge from the logs and detect the intrusion behaviors based on the improved Apriori algorithm.