Real-time analysis of intrusion detection alerts via correlation

With the growing deployment of networks and the Internet, the importance of network security has increased. Recently, however, systems that detect intrusions, which are important in security countermeasures, have been unable to provide proper analysis or an effective defense mechanism. Instead, they have overwhelmed human operators with a large volume of intrusion detection alerts. This paper presents a fast and efficient system for analyzing alerts. Our system basically depends on the probabilistic correlation. However, we enhance the probabilistic correlation by applying more systematically defined similarity functions and also present a new correlation component that is absent in other correlation models. The system can produce meaningful information by aggregating and correlating the large volume of alerts and can detect large-scale attacks such as distributed denial of service (DDoS) in early stage. We measured the processing rate of each elementary component and carried out a scenario-based test in order to analyze the efficiency of our system. Although the system is still imperfect, we were able to reduce the numerous redundant alerts 5.5% of the original volume without distorting the meaning through two-phase reduction. This ability reduces the management overhead drastically and makes the analysis and correlation easy. Moreover, we were able to construct attack scenarios for multistep attacks and detect large-scale attacks in real time.