A real-time GPU-based approach for alert aggregation

Alert correlation is an approach to analyze a huge number of security alerts received from network sensors. An alert correlation engine normalizes, fuses and clusters incoming alerts; then identifies relationships among them. Limitation of computing resources, like CPUs, makes such systems not satisfactory. In recent years, GPUs have been used in various fields, however, due to the dynamic nature of processes and data structures in alert correlation, correlation algorithms have not been implemented on the GPU. This paper presents a novel approach to implement alert correlation on the GPU. It focuses on alert aggregation, which is classified as a similarity-based alert correlation. This approach presents an online cooperative model which utilizes the processing power of CPUs and GPUs to aggregate security alert. This paper also presents the development of a toolkit named GTA2, which works as an assistant tool with Snort and provides online alert aggregation on alerts received. GTA2 takes advantage of unused processing power of existing GPU to aggregate security alerts generated by Snort. Evaluations illustrate the proposed method will improve the processing speed by 15 times.