AIDA Framework: Real-Time Correlation and Prediction of Intrusion Detection Alerts

In this paper, we present AIDA, an analytical framework for processing intrusion detection alerts with a focus on alert correlation and predictive analytics. The framework contains components that filter, aggregate, and correlate the alerts, and predict future security events using the predictive rules distilled from historical records. The components are based on stream processing and use selected features of data mining (namely sequential rule mining) and complex event processing. The framework was deployed as an analytical component of an alert sharing platform, where alerts from intrusion detection systems, honeypots, and other data sources are exchanged among the community of peers. The deployment is briefly described and evaluated to illustrate the capabilities of the framework in practice. Further, the framework may be deployed locally for experimentations over datasets.