A rule-based intrusion alert correlation system for integrated security management

As traditional host- and network-based IDSs are to detect a single intrusion based on log data or packet information respectively, they inherently generate a huge number of false alerts due to lack of information on interrelated alarms. In order to reduce the number of false alarms and then detect a real intrusion, a new alert analyzing system is needed. In this paper, we propose a rule-based alert correlation system to reduce the number of false alerts, correlate them, and decide which alerts are parts of the real attack. Our alert correlation system consists of an alert manager, an alert preprocessor, an alert correlator. An alert manager takes charge of storing filtered alerts into our alert database. An alert preprocessor reduces stored alerts to facilitate further correlation analysis. An alert correlator reports global attack plans.