This paper reports a research work to address the problem of the large number of alerts generated by the detectors in an intrusion detection system. Some of these alerts are redundant and have to be aggregated; others may follow a certain attack pattern that should be correlated. Generally, this operation is referred to as alert correlation. A more detailed explanation of the alert correlation is presented in the paper. Paper proposes a rule-based approach to solve this problem. In the reported work, an inference engine is implemented to derive the correlation between the alerts using a scenario-based knowledge base and to aggregate redundant alerts. Experimental results based on sample alerts and scenarios are reported in this paper.
Peyman Kabiri, Ali A. Ghorbani