Skip to main content
SpringerLink
Log in

Alert Management and Correlation

  • Chapter
  • First Online:
Network Intrusion Detection and Prevention

Part of the book series: Advances in Information Security ((ADIS,volume 47))

Abstract

Alert management includes functions to cluster, merge and correlate alerts. The clustering and merging functions recognize alerts that correspond to the same occurrence of an attack and create a new alert that merges data contained in these various alerts. The correlation function can relate different alerts to build a big picture of the attack. The correlated alerts can also be used for cooperative intrusion detection and tracing an attack to its source.

Data Fusion is the process of collecting information from multiple and possibly heterogeneous sources and combining them in order to get a more descriptive, intuitive and meaningful result[40]. According to Bass [2], the output of fusion-based IDSs are estimates of current security situation including the identity of a threat source the malicious activity, attack rate and an assessment of the potential severity of the projected target.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 159.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Stefan Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, Proceedings of the 6th ACM conference on Computer and communication security (Kent Ridge Digital Labs, Singapore), ACM Press, November 1999, pp. 1–7.

    Google Scholar 

  2. Tim Bass, Intrusion detection systems and multisensor data fusion, Communications of the ACM 43 (2000), no. 4, 99–105.

    Article  Google Scholar 

  3. Curtis A. Carver, Adaptive agent-based intrusion response, Ph.D. thesis, Texas A&M University, 2001.

    Google Scholar 

  4. S. Cheung and U. Lindqvist; M.W Fong, Modeling multistep cyber attacks for scenario recognition, DARPA Information Survivability Conference and Exposition, vol. 1, IEEE, April 2003, pp. 284–292.

    Google Scholar 

  5. T. Chyssler, S. Nadjm-Tehrani, S. Burschka, and K. Burbeck, Alarm reduction and correlation in defence of ip networks, the 13th International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE04), June 2004.

    Google Scholar 

  6. F. Cuppens, Managing alerts in a multi-intrusion detection environment, Proceedings of the 17th Annual Computer Security Applications Conference, 2001, p. 22.

    Google Scholar 

  7. F Cuppens, F Autrel, A Miege, and S Benferhat, Recognizing malicious intention in an intrusion detection process, Proceeding of Soft Computing Systems - Design, Management and Applications, HIS 2002 (Santiago) (A Abraham, J Ruiz del Solar, and M Koppen, eds.), Frontiers in Artificial Intelligence and Applications, vol. 87, IOS Press, December 1–4 2002, http://www.rennes.enst-bretagne.fr/fcuppens/Publications.htm, pp. 806–817.

  8. F. Cuppens and A. Miege, Alert correlation in a cooperative intrusion detection framework, Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, IEEE, 2002, pp. 202–215.

    Google Scholar 

  9. Frdric Cuppens and Rodolphe Ortalo, Lambda: A language to model a database for detection of attacks, Proceedings of Recent Advances in Intrusion Detection, 3rd International Symposium, (RAID 2000) (Toulouse, France) (H. Debar, L. M, and S.F. Wu, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2000, pp. 197–216.

    Google Scholar 

  10. O.M. Dain and R. K Cunningham, Fusing a heterogeneous alert stream into scenarios, Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, 2001, pp. 1–13.

    Google Scholar 

  11. Herv Debar and Andreas Wespi, Aggregation and correlation of intrusion-detection alerts, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 85–103.

    Google Scholar 

  12. Peng Ning Dingbang Xu, Alert correlation through triggering events and common resources, To appear in Proceedings of 20th Annual Computer Security Applications Conference(ACSAC), December 2004.

    Google Scholar 

  13. S.T. Eckmann, G. Vigna, and R.A. Kemmerer, Statl: An attack language for state-based intrusion detection, Proceedings of the 1st ACM Workshop on Intrusion Detection Systems (Athens, Greece), November 2000.

    Google Scholar 

  14. M. Erlinger and S. Stanniford, Intrusion detection interchange format, 11 2004.

    Google Scholar 

  15. Deborah Frincke, Balancing cooperation and risk in intrusion detection, ACM Transactions on Information and System Security (TISSEC) 3 (2000), no. 1, 1–29.

    Article  Google Scholar 

  16. C.W. Geib and B.A. Goodman, Plan recognition in intrusion detection systems, DARPA Information Survivability Conference & Exposition II, 2001. DISCEX 01. Proceedings, vol. 1, June 2001, pp. 46–55.

    Google Scholar 

  17. C. Clifton; G. Gengo, Developing custom intrusion detection filters using data mining, 21st Century Military Communications Conference Proceedings, vol. 1, IEEE, Oct 2000, pp. 440–443.

    Google Scholar 

  18. Robert P. Goldman, A stochastic model for intrusions, Proceedings of Recent Advances in Intrusion Detection, 5th International Symposium, (RAID 2002) (Zurich, Switzerland) (A. Wespi, G. Vigna, and L. Deri, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2002, pp. 199–218.

    Google Scholar 

  19. Rajeev Gopalakrishna and Eugene Spafford, A framework for distributed intrusion detection using interest driven cooperating agents, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 172–189.

    Google Scholar 

  20. IETF Intrusion Detection Working Group, Intrusion detection message exchange format, http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt, 2004.

  21. J. Haines, D. Ryder, L. Tinnel, and S. Taylor, Validation of sensor alert correlators, IEEE Security and Privacy (2003).

    Google Scholar 

  22. Jian-Qiang Zhai; Jun-Feng Tian; Rui-Zhong Du; Jian-Cai Huang, Network intrusion early warning model based on d-s evidence theory, Machine Learning and Cybernetics, 2003 International Conference on, vol. 4, November 2003, pp. 1972–1977.

    Google Scholar 

  23. Ming-Yuh Huang, Robert J. Jasper, and Thomas M. Wicks, A large scale distributed intrusion detection framework based on attack strategy analysis, Computer Networks 31 (1999), no. 23–24, 2465–2475, http://www.sciencedirect.com/science/article/B6VRG-3Y6HFD7-3/2/f434e03c9140282df6c29ccd919d0181.

    Article  Google Scholar 

  24. K. Julisch, Mining alarm clusters to improve alarm handling efficiency, Proceedings of the 17th Annual Computer Security Applications Conference, 2001, p. 12.

    Google Scholar 

  25. K Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security 6 (2003), no. 4, 443–471, http://www.zurich.ibm.com/kju/.

    Article  Google Scholar 

  26. Richard Lippmann, Seth Webster, and Douglas Stetson, The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection, Proceedings of Recent Advances in Intrusion Detection, 5th International Symposium, (RAID 2002) (Zurich, Switzerland) (A. Wespi, G. Vigna, and L. Deri, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2002, pp. 307–326.

    Google Scholar 

  27. J. McConnell, D. Frincke, D. Tobin, J. Marconi, and D. Polla, A framework for cooperative intrusion detection, Proceedings of the 21st National Information Systems Security Conference (NISSC), October 1998, pp. 361–373.

    Google Scholar 

  28. George M. Mohay Nathan Carey, Andrew Clark, Ids interoperability and correlation using idmef and commodity systems, Proceedings of the 4th International Conference on Information and Communications Security, December 2002, pp. 252–264.

    Google Scholar 

  29. Peng Ning and Yun Cui, An intrusion alert correlator based on prerequisites of intrusions, Tech. Report TR-2002-01, 26 2002.

    Google Scholar 

  30. Peng Ning, Yun Cui, and Douglas S. Reeves, Constructing attack scenarios through correlation of intrusion alerts, Proceedings of the 9th ACM conference on Computer and communication security (Washington D.C., USA), ACM Press, November 2002, pp. 245–254.

    Google Scholar 

  31. Peng Ning, Yun Cui, Douglas S. Reeves, and Dingbang Xu, Techniques and tools for analyzing intrusion alerts, ACM Transactions on Information and System Security (TISSEC) 7 (2004), no. 2, 274–318.

    Article  Google Scholar 

  32. Peng Ning, Sushil Jajodia, and Xiaoyang Sean Wang, Abstraction-based intrusion detection in distributed environments, ACM Transactions on Information and System Security (TISSEC) 4 (2001), no. 4, 407–452.

    Article  Google Scholar 

  33. Peng Ning and Dingbang Xu, Learning attack strategies from intrusion alerts, Proceedings of the 10th ACM conference on Computer and communication security (Washington D.C., USA), ACM Press, October 2003, pp. 200–209.

    Google Scholar 

  34. Tadeusz Pietraszek, Using adaptive alert classification to reduce false positives in intrusion detection, 21st Century Military Communications Conference Proceedings, vol. 1, IEEE, Oct 2004, pp. 440–443.

    Google Scholar 

  35. Phillip Porras, Martin W. Fong, and Alfonso Valdes, A mission-impact-based approach to infosec alarm correlation, Proceedings of Recent Advances in Intrusion Detection, 5th International Symposium, (RAID 2002) (Zurich, Switzerland) (A. Wespi, G. Vigna, and L. Deri, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2002, pp. 95–114.

    Google Scholar 

  36. X. Qin, W. Lee, L. Lewis, and J. B. D. Cabrera, Integrating intrusion detection and network management, Proceedings of the 8th IEEE/IFIP Network Operations and Management Symposium (NMOS) (Florence, Italy), April 2002, pp. 329–344.

    Google Scholar 

  37. Xinzhou Qin and Wenke Lee, Statistical causality analysis of infosec alert data, Proceedings of Recent Advances in Intrusion Detection, 6th International Symposium, (RAID 2003) (Pittsburgh, PA, USA) (G. Vigna, E. Jonsson, and C. Kruegel, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, September 2003, pp. 73–93.

    Google Scholar 

  38. Reza Sadoddin, An incremental frequent structure mining framework for real-time alert correlation, Master's thesis, Faculty of Computer Science, University of New Brunswick, Fredericton, NB, Canada, July 2007.

    Google Scholar 

  39. Reza Sadoddin and Ali A. Ghorbani, Real-time alert correlation using stream data mining techniques, Proceedings of the Twenty-Third AAAI Conference on Artificial Intelligence, 2008, pp. 1731–1737.

    Google Scholar 

  40. Christos Siaterlis and Basil Maglaris, Towards multisensor data fusion for dos detection, Proceedings of the 2004 ACM symposium on Applied computing (Nicosia, Cyprus), ACM Press, March 2004, pp. 439–446.

    Google Scholar 

  41. A. Siraj, R.B. Vaughn, and S.M. Bridges, Intrusion sensor data fusion in an intelligent intrusion detection system architecture, Proceedings of the 37th Annual Hawaii International Conference on System Sciences, January 2004, pp. 279–288.

    Google Scholar 

  42. Eugene H. Spafford and Diego Zamboni, Intrusion detection using autonomous agents, Computer Networks 34 (2000), no. 4, 547–570, http://www.sciencedirect.com/science/article/B6VRG-411FRK9-2/2/f818f61028e80aa2cd740fdc4a3cd696.

    Article  Google Scholar 

  43. Karl Levitt Steven J. Templeton, A requires/provides model for computer attacks, Proceedings of the 2000 workshop on New security paradigms, February 2001.

    Google Scholar 

  44. G. Tedesco and U. Aickelin, Adaptive alert throttling for intrusion detection systems, submitted and under review (2003).

    Google Scholar 

  45. J. Turner, New directions in communications (or which way to the information age?), Communications Magazine 24 (1986), 5–11.

    Article  Google Scholar 

  46. Alfonso Valdes and Keith Skinner, Adaptive, model-based monitoring for cyber attack detection, Proceedings of Recent Advances in Intrusion Detection, 3rd International Symposium, (RAID 2000) (Toulouse, France) (H. Debar, L. M, and S.F. Wu, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2000, pp. 80–92.

    Google Scholar 

  47. ——, Probabilistic alert correlation, Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, (RAID 2001) (Davis, CA, USA) (W, L. M Lee, and A. Wespi, eds.), Lecture Notes in Computer Science, Springer-Verlag Heidelberg, October 2001, pp. 54–68.

    Google Scholar 

  48. Fredrik Valeur, Giovanni Vigna, Christopher Kruegel, and Richard A. Kemmerer, A comprehensive approach to intrusion detection alert correlation, Dependable and Secure Computing, IEEE Transactions on 1 (2004), no. 3, 146–169.

    Article  Google Scholar 

  49. Xinyuan Wang, The loop fallacy and serialization in tracing intrusion connections through stepping stones, Proceedings of the 2004 ACM symposium on Applied computing (Nicosia, Cyprus), ACM Press, March 2004, pp. 404–411.

    Google Scholar 

  50. Q. Xue, J. Sun, and Z. Wei, Tjids: an intrusion detection architecture for distributed network, Proceedings of the Canadian Conference on Electrical and Computer Engineering, IEEE CCECE 2003, May 2003, pp. 709–712.

    Google Scholar 

  51. Ran Zhang, Depei Qian, Chongming Ba, Weiguo Wu, and Xiaobing Guo, Multi-agent based intrusion detection architecture, Proceedings of 2001 IEEE International Conference on Computer Networks and Mobile Computing, October 2001, pp. 494–501.

    Google Scholar 

  52. Ran Zhang, Depei Qian, Heng Chen, and Weiguo Wu, Collaborative intrusion detection based on coordination agent, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT'2003), August 2003, pp. 175–179.

    Google Scholar 

  53. Yong Wang; Huihua Yang; Xingyu Wang; Ruixia Zhang, Distributed intrusion detection system based on data fusion method, Intelligent Control and Automation, 2004. WCICA 2004. Fifth World Congress on, vol. 5, IEEE, June 2004, pp. 4331–4334.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of New Brunswick, Fredericton, NB, E3B 5A3, Canada

    Ali A. Ghorbani (Faculty in Computer Science), Wei Lu (Faculty in Computer Science) & Mahbod Tavallaee (Faculty in Computer Science)

Authors
  1. Ali A. Ghorbani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mahbod Tavallaee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ali A. Ghorbani .

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag US

About this chapter

Cite this chapter

Ghorbani, A.A., Lu, W., Tavallaee, M. (2010). Alert Management and Correlation. In: Network Intrusion Detection and Prevention. Advances in Information Security, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88771-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-88771-5_6

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-88770-8

  • Online ISBN: 978-0-387-88771-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation