Two-Stage Algorithm for Correlating the Intrusion Alerts

To solve the problem of the alert flooding and information semantics in the existing Intrusion Detection System(IDS), we present a two-stage algorithm for correlating the alerts. In the first stage, the high-level alerts is integrated by using the Chronicle patterns based on time intervals, which describe and match the alerts with the temporal time constrains of an input sequence. In the second stage, the preparing relationship between the high-level alerts is defined, which is applied to correlate the high-level alerts, and the attack scenario is constructed by drawing the attack graph. In the end a given example shows the performances of this twostage correlation algorithm in decreasing the number and improving the information semantic of the intrusion alerts produced by the IDS.

Two-stage algorithm for correlating the intrusion alerts

To solve the problem of the alert flooding and information semantics in the existing Intrusion Detection System(IDS), we present a two-stage algorithm for correlating the alerts. In the first stage, the high-level alerts is integrated by using the Chronicle patterns based on time intervals, which describe and match the alerts with the temporal time constrains of an input sequence. In the second stage, the preparing relationship between the high-level alerts is defined, which is applied to correlate the high-level alerts, and the attack scenario is constructed by drawing the attack graph. In the end a given example shows the performances of this two-stage correlation algorithm in decreasing the number and improving the information semantic of the intrusion alerts produced by the IDS.