| Alert correlation is a process that analyzes the alerts produced by one or more intrusion detection systems and provides a more succinct and high-level view of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. Unfortunately, most approaches to correlation concentrate on just a few components of the process, providing formalisms and techniques that address only specific correlation issues. In addition, existing systems do not have the real-time performance needed to perform online alert correlation.; This dissertation presents a general correlation model that includes a comprehensive set of components and a real-time correlation tool based on this model. The tool has been applied to a number of intrusion detection datasets to identify how each component contributes to the overall goals of correlation and to validate the real-time performance of the tool. The results of these experiments show that the correlation tool is effective in achieving alert reduction and abstraction while operating in real-time. |
