Abstract
With the development of computer networks, security devices produce a large volume of low-level alerts. Analysis and management of these intrusion alerts is troublesome and time consuming task for network supervisors and intrusion response systems. The alert correlation methods find similarity and causality relationships between raw alerts to reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. Several different approaches for alert correlation have been proposed which are desired for detecting known attack scenarios. This paper presents a new alert correlation framework without using predefined knowledge. For this purpose, we define the concept of partial entropy for each alert to find the alert clusters with the same information. Then we represent the alert clusters by intelligible notation called hyper-alert. Finally a subset of hyper-alerts is selected based on the entropy maximization. The results of experiments clearly show the efficiency of the proposed framework. We achieved the promising reduction ratio of 99.83% in LLS_DDOS_1.0 attack scenario in DARPA2000 dataset while the constructed hyper-alerts have the enough information to discover the attack scenario.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
