Abstract

One of the major problems of intrusion detection concerns the large amount of alerts that intrusion detection systems (IDS) produce. Security operator who analyzes alerts and takes decisions, is often submerged by the high number of alerts to analyze. In this paper, we present a new alert correlation approach based on knowledge and preferences of security operators. This approach, which is complementary to existing ones, allows to rank-order produced alerts on the basis of a security operator knowledge about the system, used IDS and his preferences about alerts that he wants to analyze or to ignore. Our approach is based on the development of a new non-classical logic for representing preferences, called FO-MQCL (First Order - Minimal Qualitative Choice Logic). Our logic extends a fragment of the first order logic by adding a new logical connective. The general idea is to present only alerts that fully fit security operator's preferences and knowledge. And if needed, less preferred alerts can also be presented.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.