An innovative framework for collaborative intrusion alert correlation

Alert correlation analyzes the alerts from one or more Collaborative Intrusion Detection Systems (CIDSs) to produce a concise overview of security-related activity on the network. The correlation process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequential order of the correlation components affects the correlation process performance. Furthermore, the total time needed for the whole process depends on the number of processed alerts in each component. This paper presents an innovative alert correlation framework that minimizes the number of processed alerts on each component and thus reducing the correlation processing time. By reordering the components, the introduced correlation model reduces the number of processed alerts as early as possible by discarding the irrelevant, unreal and false alerts in the early phases of the correlation process. A new component, shushing the alerts, is added to deal with the unrelated and false positive alerts. A modified algorithm for fusing the alerts is outlined. The intruders´ intention is grouped into attack scenarios and thus used to detect future attacks. DARPA 2000 intrusion detection scenario specific datasets and a testbed network were used to evaluate the innovative alert correlation model. Comparisons with a previous correlation system were performed. The results of processing these datasets and recognizing the attack patterns demonstrated the potential of the improved correlation model and gave favorable results.