16-03-2017, 04:27 PM
Aggregation of alerts is an important intrusion detection subtask. The objective is to identify and group different alerts produced by low-level intrusion detection systems, firewalls, etc., belonging to a specific attack instance that has been initiated by an attacker at any given time. Therefore, meta-alerts can be generated for clusters containing all relevant information while the amount of data (ie alerts) can be substantially reduced. Meta-alerts can then be the basis for reporting to security experts or for communication within a distributed intrusion detection system. We propose a novel technique for online alert aggregation that is based on a dynamic and probabilistic model of the current attack situation. Basically, it can be considered as a data flow version of a maximum likelihood approach for estimating model parameters. With three sets of baseline data, we show that it is possible to achieve reduction rates of up to 99.96 percent, while the number of missing meta-alerts is extremely low. In addition, meta-alerts are generated with a delay of typically only a few seconds after observing the first alert pertaining to a new instance of attack.