Abstract
Intrusion Detection Systems (IDS) are necessary for the system monitoring. However they produce a huge quantity of alerts. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper we propose a new approach for alert correlation which enables the integration of new information to the alert correlation process: Security operator's knowledge and preferences. This information concerns the monitoring system and the risk level of each alert in according for instance to the operator's experiences. The representation and the reasoning on these knowledge and preferences are done using the Qualitative Choice Logic (QCL) and its extensions: Prioritized Qualitative Choice Logic (PQCL) and Positive Qualitative Choice Logic (QCL+). Experimental results are achieved on data from a real system monitoring. The result is a set of ordered alerts which satisfies operator's criteria.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.