Correlation of Alerts Using Prerequisites and Consequences for Intrusion Detection

Alert Correlation is a process that analyses the alerts produced by one or more Intrusion Detection Sensors and provides a clear picture of occurring or attempted intrusions. Even though the correlation process is often presented as a single step, the analysis is actually carried out by a number of components, each of which has a specific goal. The idea of prerequisites of an intrusion, that is the necessary condition for the intrusion to be successful and the possible outcomes of intrusion is the consequences. This method also help us to correlates two alerts if the consequence of the earlier alert prepares for the prerequisites of the later one. In this system, before alert classification we are performing normalization, pre-processing, and alert correlation. In correlation phase there are two types of correlation, which are duplicate removal (alert fusion) and consequence correlation. Thus the resulting alert set is clustered. Based on this analysis of the alert set, the prioritization component assigns an appropriate priority to every alert. This priority information is important for quickly discarding information that is irrelevant or of less importance. The second way of prioritizing is based on the number of alerts coming from the networked systems.