Event Correlation for Intrusion Detection Systems

Intrusion Detection System (IDS) have grown into a mature and feature rich technology that provides advanced features to detect intrusion and provide responses. It also allows the management system for security analysis by monitoring, configuring and analyzing the intrusion data. A better understanding of alerts by using a general framework and infrastructure for detecting intrusions through event correlation strategy minimizes the amount of data generated. Event correlation techniques are needed for two reasons. First, network attack detection is usually based on information or data received from distributed sensors, e.g. intrusion detection systems. During attacks, the generated amount of events is hard to handle and so it is difficult to evaluate the current attack situation for a larger network. Thus, the concept of event or alert correlation has been introduced. Event correlation paints a picture of what is now being called as network or cyber situational awareness and tries to guide the security administrator on the actions that he can take to mitigate the crisis. The aim of the event correlation for intrusion detection system (IDS) is to improve security by correlating events and reduce the workload on an IDS analyst. This correlation has been achieved by getting together similar alerts, thus allowing the analyst to only look at a few alerts instead of hundreds or thousands of alerts. In this paper, we correlate the results of SNORT Intrusion Detection System (IDS) with SEC (Simple Event Correlator) by taking the input from the MIT DARPA (Defense advanced Research Projects Agency) dataset. The alerts generated from Snort are very large and so it is difficult for the administrators to identify them. Here we correlate the alerts based on same name coming from different IP address. This correlation removes the duplication of alerts and thus reduces the information overload on the administrator.