Abstract
Current intrusion detection systems (IDSs) often trigger a large amount of alerts, most of which are redundant alerts and false positives. Consequently, it is difficult for administrators to understand the alerts and take appropriate actions. Several alert correlation methods have been proposed. However, these methods don't consider the differences in reliability among alerts reported from multiple IDSs. This paper presents a novel alert correlation approach based on the Dempster-Shafer evidence theory, which regards the alerts as evidence of network attack and combines all the evidence according to the Dempster's combination rule, inferring whether the attack has taken place. The main advantage of the approach is that it can eliminate the ambiguity and confliction in alerts and reduce the number of alerts. With the DARPA 2000 test dataset, experimental results demonstrate that the approach can reduce more than 69% of reported alerts and decrease the false positive rate efficiently.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
