A Novel Approach Of Correlatiing And Analyzing Intrustion Alerts Based On Clustering Algorithm And Alerts' Prerequisite-Consequence Attribute

Intrusion detection system is one of the fast developing system security technologies in recent years. It has become the second security barrier after the firewall. However, the traditional intrusion detection system has two major disadvantages: 1) it usually pays attention to some basic alerts and abnormal, generates corresponding individual alerts, and is unable to deveil the logic relation and attack strategies. 2) Traditional intrusion detection system generates a great number of false alarms, mixed with real alerts.In this paper, a novel approach of correlating and analysing intrusion alerts based on the combination of clustering algorithm and prerequisite-consequence method is proposed. The experiment using DARPA 2000 dataset proved that this approach can pre-process alerts successfully. Compared with the result of using only the prerequisite-consequence alert correlation method, the proposed approach can successfully eliminate 3 correlation errors, thus improve the efficiency of the alert correlation.