Intrusion Alert Correlation Framework: An Innovative Approach

  • Huwaida Tagelsir Elshoush
  • Izzeldin Mohamed Osman
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 229)


Alert correlation analyzes the alerts from one or more collaborative intrusion detection systems (IDSs) to produce a concise overview of security-related activity on a network. The process consists of multiple components, each responsible for a different aspect of the overall correlation goal. The sequence order of the correlation components affects the process performance. The total time needed for the whole process depends on the number of processed alerts in each component. An innovative alert correlation framework is introduced based on a model that reduces the number of processed alerts as early as possible by discarding the irrelevant and false alerts in the first phases. A new component, shushing the alerts, is added to deal with the unrelated alerts. A modified algorithm for fusing the alerts is presented. The intruders’ intention is grouped into attack scenarios and thus used to detect future attacks. DARPA 2000 ID scenario specific datasets is used to evaluate the alert correlator model. The experimental results show that the correlation model is effective in achieving alert reduction and abstraction. The performance is improved after the attention is focused on correlating higher severity alerts.


Alert correlation Alert correlation datasets Alert reduction  Collaborative intrusion detection systems False alarm rate Intrusion detection 


  1. 1.
    Amiri F, Yousefi MMR, Lucas C, Shakery A (2011) Improved feature selection for intrusion detection system. J Netw Comput ApplGoogle Scholar
  2. 2.
    Bye R, Camtepe SA, Albayrak S (2010) Collaborative intrusion detection framework: characteristics, adversarial opportunities and countermeasuresGoogle Scholar
  3. 3.
    Cui Y (2002) A toolkit for intrusion alerts correlation based on prerequistes and consequences of attacks, MSc thesisGoogle Scholar
  4. 4.
    Davis JJ, Clark AJ (2011) Data preprocessing for anomaly-based network intrusion detection: a review. J Comput Secur 30:353–375Google Scholar
  5. 5.
    Debar H, Curry D, Feinstein B (2007) The intrusion detection message exchange format (IDMEF).
  6. 6.
    Elshoush HT, Osman IM (2011) Alert correlation in collaborative intelligent intrusion detection systems—a survey. J Appl Soft Comput 11(7):4349–4365Google Scholar
  7. 7.
    Elshoush HT, Osman IM (2012) An improved framework for intrusion alert correlation. Lecture notes in engineering and computer science: proceedings of the world congress on engineering, WCE, U.K, London, pp 518–523, 4–6 July 2012Google Scholar
  8. 8.
    Ghorbani AA, Lu W, Tavallaee M (2010) Network intrusion detection and prevention: concepts and techniques. Springer, HeidelbergGoogle Scholar
  9. 9.
    Kruegel C, Valeur F, Vigna G (2005) Intrusion detection and correlation—challenges and solutions. Springer, BostonGoogle Scholar
  10. 10.
    MIT Lincoln laboratory (2000) DARPA intrusion detection scenario specific datasets.
  11. 11.
    Ning P (2007) TIAA: a toolkit for intrusion alert analysis.
  12. 12.
    Ning P, Cui Y, Reeves DS (2002) Analyzing intensive intrusion alerts via correlation. In: Proceedings of the 5th international symposium on recent advances in intrusion detection (RAID 2002), LNCS 2516, Zurich, Switzerland, pp 74–94, Oct 2002Google Scholar
  13. 13.
    Ning P, Cui Y, Reeves DS (2002) Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM conference on computer and communications security, Washington, DC, pp 245–254, Nov 2002Google Scholar
  14. 14.
    Siraj MM, Maarof MA, Hashim SZM (2009) Intelligent alert clustering model for network intrusion analysis. Int J Advanc Soft Comput Appl 1(1), ICSRS Publication, ISSN 2074–8523Google Scholar
  15. 15.
    Taha AE, Ghaffar AI, Bahaa Eldin AM, Mahdi HMK (2010) Agent based correlation model For intrusion detection alerts. IEEE Computer Society, LondonGoogle Scholar
  16. 16.
    Valeur F (2006) Real-time ID alert correlation, PhD thesis. Barbara, USAGoogle Scholar
  17. 17.
    Valeur F, Vigna G, Kruegel C, Kemmerer R (2004) A comprehensive approach to intrusion detection alert correlation. IEEE Trans Dependable Secure Comput 1(3):146–169Google Scholar
  18. 18.
    Yusof R, Selamat SR, Sahib S (2008) Intrusion alert correlation technique analysis for heterogeneous log. Int J Comput Sci Netw Secur (IJCSNS) 8(9):132–138Google Scholar
  19. 19.
    Zainal A, Maarof MA, Shamsuddin SM (2007) Features selection using rough-PSO in anomaly intrusion detectionGoogle Scholar
  20. 20.
    Zainal A, Maarof MA, Shamsuddin SM (2006) Feature selection using rough set in intrusion detectionGoogle Scholar
  21. 21.
    Zhou CV, Leckie C, Karunasekera S (2009) Decentralized multidimensional alert correlation for collaborative intrusion detection. J Netw Comput Appl 32:1106–1123Google Scholar
  22. 22.
    Zhou CV, Leckie C, Karunasekera S (June 2009) A survey of coordinated attacks and collaborative intrusion detection. Elsevier Ltd, Computer SecurityGoogle Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2013

Authors and Affiliations

  • Huwaida Tagelsir Elshoush
    • 1
  • Izzeldin Mohamed Osman
    • 2
  1. 1.Department of Computer Science, Faculty of Mathematical SciencesUniversity of KhartoumKhartoumSudan
  2. 2.Sudan University of Science and TechnologyKhartoumSudan

Personalised recommendations