A language driven intrusion detection system for event and alert correlation

It is well known that security prevention mechanisms are not sufficient to protect efficiently an information system. Intrusion detection systems are required. But these systems present many imperfections. In particular, they can either generate false positives (i.e., alarms that should not be produced) or miss attacks (false negatives). However, the main problem is the generation of false positives that can overwhelm the information system administrator. In this paper, we follow the notion of correlation proposed by others. The objective is to aim at correlating either events in the analyser or alerts in the manager. We first present the ADeLe language, which provides a way to define the correlation properties. Then we present which algorithms have been carried out in our IDS to handle ADeLe signatures. Finally, we show the stress tests that have been applied to the probe algorithms that we have implemented.