Abstract

Intrusion Detection Systems (IDS) are very important tools for network monitoring. However, they often produce a large quantity of alerts. The security operator who analyses IDS alerts is quickly overwhelmed. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper, we propose a new approach for logical based alert correlation which integrates the security operator’s knowledge and preferences in order to present to him only the most suitable alerts. The representation and the reasoning on these knowledge and preferences are done using a new logic called Instantiated First Order Qualitative Choice Logic (IFO-QCL). Our modeling shows an alert as an interpretation which allows us to have an efficient algorithm that performs the correlation process in a polynomial time. Experimental results are achieved on data collected from a real system monitoring. The result is a set of stratified alerts satisfying the operators criteria.KeywordsIDSalert correlationQCLpreferencesknowledge

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.