A Cognitive Model for Alert Correlation in a Distributed Environment

  • Ambareen Siraj
  • Rayford B. Vaughn
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3495)


The area of alert fusion for strengthening information assurance in systems is a promising research area that has recently begun to attract attention. Increased demands for “more trustworthy” systems and the fact that a single sensor cannot detect all types of misuse/anomalies have prompted most modern information systems deployed in distributed environments to employ multiple, diverse sensors. Therefore, the outputs of the sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of such systems. A unified architecture for intelligent alert fusion will essentially combine alert prioritization, alert clustering and alert correlation. In this paper, we address the alert correlation aspect of sensor data fusion in distributed environments. A causal knowledge based inference technique with fuzzy cognitive modeling is used to correlate alerts by discovering causal relationships in alert data.


Network security intelligent alert fusion alert correlation fuzzy cognitive modeling 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brubaker, D.: Fuzzy Cognitive Maps. EDN Access (April 1996)Google Scholar
  2. 2.
    Internet Security Systems, RealSecure Network 10/100 (current January 30, 2005),
  3. 3.
    Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings: 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, LA, December 10 - 14 (2001)Google Scholar
  4. 4.
    Kosko, B.: Fuzzy Cognitive Maps. International Journal of Man-Machine Studies 24, 65–75 (1986)zbMATHCrossRefGoogle Scholar
  5. 5.
    Kosko, B.: Neural Networks and Fuzzy Systems: A Dynamical Systems Approach to Machine Intelligence. Prentice Hall, Englewood Cliffs (1992)zbMATHGoogle Scholar
  6. 6.
    Kosko, B.: Fuzzy Engineering. Prentice Hall, Upper Saddle River (1997)zbMATHGoogle Scholar
  7. 7.
    M.I.T Lincoln Laboratory, 2000 DARPA Intrusion Detection Scenario Specific Data Sets (current January 30, 2005),
  8. 8.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: Proceedings: ACM Conference on Computer & Communications Security, Washington D.C., WA (November 2002)Google Scholar
  9. 9.
    Ning, P.: TIAA: A Toolkit for Intrusion Alert Analysis, (current January 30, 2005)
  10. 10.
    Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Proceedings: Recent Advances in Intrusion Detection, Pittsburgh, PA (September 2003)Google Scholar
  11. 11.
    Siraj, A., Bridges, S.M., Vaughn, R.B.: Fuzzy Cognitive Maps for Decision Support in an Intelligent Intrusion Detection System. In: Proceedings: International Fuzzy Systems Association/ North American Fuzzy Information Processing Society (IFSA/NAFIPS) Conference on Soft Computing, Vancouver, Canada (July 2001)Google Scholar
  12. 12.
    Xin, J.Q., Dickerson, J.E., Dickerson, J.A.: Fuzzy Feature Extraction and Visualization for Intrusion Detection. In: Proceedings: FUZZ-IEEE, St. Louis, MO (2003)Google Scholar
  13. 13.
    Yu, D., Frincke, D.: A Novel Framework for Alert Correlation and Understanding. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 452–466. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Ambareen Siraj
    • 1
  • Rayford B. Vaughn
    • 1
  1. 1.Department of Computer Science and EngineeringCenter for Computer Security Research 

Personalised recommendations