A knowledge-based alert evaluation and security decision support framework

In this paper, a generic architecture for intrusion alert management, analysis and security decision support is described. The architecture is composed of four components: (1)Alert Aggregator, (2)Alert Evaluation and Security Decision Support Component, (3)Alert Correlator and (4)Synthetic Alert Report Generator. The core of this architecture is the Alert Evaluation and Security Decision Support component. The component provides a framework for knowledge-based alert evaluation and security decision support. The framework aims at reducing alert overload and false positive alerts, prioritizing alerts and providing real-time security decision support. This is accomplished by integrating knowledge of the protected network and host asset information and knowledge of known vulnerability requirements as well as specified security policies into the alert evaluation process. The alert evaluation and security decision support component as well as the alert aggregator have been implemented, and the implementation results are presented in this paper.