Intrusion Detection Alert Verification Based on Multi-level Fuzzy Comprehensive Evaluation

  • Chengpo Mu
  • Houkuan Huang
  • Shengfeng Tian
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3801)


Alert verification is a process which compares the information referred by an alert with the configuration and topology information of its target system in order to determine if the alert is relevant to its target system. It can reduce false positive alerts and irrelevant alerts. The paper presents an alert verification approach based on multi-level fuzzy comprehensive evaluation. It is effective in achieving false alert and irrelevant alerts reduction, which have been proved by our experiments. The algorithm can deal with the uncertainties better than other alert verification approaches. The relevance score vectors obtained from the algorithm facilitate the formulation of fine and flexible security policies, and further alert processing.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusion. Technical Report TR-2002-01, Department of Computer Science, North Carolina State University (2002)Google Scholar
  2. 2.
    Qin, X., Lee, W.: Statistical causality of INFOSEC alert data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–94. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Gula, R.: Correlating IDS Alerts with Vulnerability Information. Technical report, Tenable Network Security (2002)Google Scholar
  4. 4.
    Goldman, R.P., Heimerdinger, W., Haro, S.A.: Information modeling for intrusion report aggregation. In: DARPA Information Survivability Conference and Exposition (DISCEX II) (2001)Google Scholar
  5. 5.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Porras, P.A., Fong, M.W., Valdes, A.: A mission-impact-based approach to INFOSEC alarm correlation. In: 5th International Symposium on Recent Advances in Intrusion Detection (2002)Google Scholar
  7. 7.
    ICAT vulnerabilities database, available
  8. 8.
    Xie, J., Liu, C.: The Methodology and Application of Fuzzy Mathematics (in Chinese). Hua Zhong University of Science and Technology Press, China (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Chengpo Mu
    • 1
  • Houkuan Huang
    • 1
  • Shengfeng Tian
    • 1
  1. 1.School of Computer and Information TechnologyBeijing Jiaotong UniversityBeijingChina

Personalised recommendations