A New Approach for QCL-Based Alert Correlation Process

  • Lydia Bouzar-Benlabiod
  • Salem Benferhat
  • Thouraya Bouabana-Tebibel
Part of the Studies in Computational Intelligence book series (SCI, volume 488)


Intrusion Detection Systems (IDS) are very important tools for network monitoring. However, they often produce a large quantity of alerts. The security operator who analyses IDS alerts is quickly overwhelmed. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper, we propose a new approach for logical based alert correlation which integrates the security operator’s knowledge and preferences in order to present to him only the most suitable alerts. The representation and the reasoning on these knowledge and preferences are done using a new logic called Instantiated First Order Qualitative Choice Logic (IFO-QCL). Our modeling shows an alert as an interpretation which allows us to have an efficient algorithm that performs the correlation process in a polynomial time. Experimental results are achieved on data collected from a real system monitoring. The result is a set of stratified alerts satisfying the operators criteria.


IDS alert correlation QCL preferences knowledge 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, J.: Computer security threat monitoring and surveillance. Technical report. James P. Anderson Company, Fort Washington, Pennsylvania (April 1980)Google Scholar
  2. 2.
    Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report No 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Sweden (March 2000)Google Scholar
  3. 3.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Recent Advances in Intrusion Detection Systems 34(4), 571–577 (2000)Google Scholar
  4. 4.
    Chifflier, P., Tricaud, S.: Intrusion Detection Systems Correlation: a Weapon of Mass Investigation, CanSecWest, Vancouver (March 2008)Google Scholar
  5. 5.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proc. 17th Computer Security Applications Conference, pp. 22–31 (December 2001)Google Scholar
  6. 6.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC) 6(4), 443–471 (2003)CrossRefGoogle Scholar
  7. 7.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: an attack language for state-based intrusion Detection. Journal of Computer Security 10(1-2), 71–103 (2002)Google Scholar
  9. 9.
    Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202 ( May 2002)Google Scholar
  12. 12.
    Ning, P., Cui, Y., Reeves, S.: Constructing attack scenarios through correlation of intrusion alerts. In: CCS 2002: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254. ACM, New York (2002)Google Scholar
  13. 13.
    Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: NSPW 2000: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 31–38. ACM, New York (2000)CrossRefGoogle Scholar
  14. 14.
    Benferhat, S., Kenaza, T., Mokhtari, A.: A Naive Bayes Approach for Detecting Coordinated Attacks. In: COMPSAC 2008, pp. 704–709 (July-August 2008)Google Scholar
  15. 15.
    Benferhat, S., Sedki, K.: Two alternatives for handling preferences in qualitative choice logic. Fuzzy Sets and Systems Journal (FSS 2008) 159(15), 1889–1912 (2008)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Brewka, G., Benferhat, S., Le Berre, D.: Qualitative Choice Logic. Artificial Intelligence Journal (AIJ) 157(1-2), 203–237 (2004)CrossRefMATHGoogle Scholar
  17. 17.
    Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: Proceedings of Recent Advances in Intrusion Detection, Davis, CA, USA, pp. 22–31 (October 2001)Google Scholar
  18. 18.
    Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Proceedings of Recent Advances in Intrusion Detection, Davis, CA, USA, pp. 85–103 (October 2001)Google Scholar
  19. 19.
    Qin, X., Lee, W.: Attack Plan Recognition and Prediction Using Causal Networks. In: ACSAC 2004, pp. 370–379 (2004)Google Scholar
  20. 20.
    Geib, C., Goldman, R.: Plan Recognition in Intrusion Detection Systems. In: Proceeding of DARPA Information Survivability Conference and Exposition (DISCEX), vol. 1, pp. 46–55 (June 2001)Google Scholar
  21. 21.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF), Network Working Group, Request for Comments (RFC): 4765, Category: Experimental, SecureWorks, Inc. (March 2007)Google Scholar
  22. 22.
    Ranum, M.J.: False Positives: A Users Guide to Making Sense of IDS Alarms, ICSA Labs IDSC, white paper (2003)Google Scholar
  23. 23.
    Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert Prioritization in Intrusion Detection Systems. In: The 11th IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), pp. 33–40 (April 2008)Google Scholar
  24. 24.
    Tabia, K., Benferhat, S., Leray, P., Me, L.: Alert correlation in intrusion detection: Combining AI-based approaches for exploiting security operators knowledge and preferences. In: Association for the Advancement of Artificial Intelligence (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Lydia Bouzar-Benlabiod
    • 1
  • Salem Benferhat
    • 2
  • Thouraya Bouabana-Tebibel
    • 1
  1. 1.LCSI laboratoryEcole nationale Supérieure d’Informatique (ESI)AlgiersAlgeria
  2. 2.CRIL-CNRSUniversité d’ArtoisLensFrance

Personalised recommendations