A Rule-Based Intrusion Alert Correlation System for Integrated Security Management

  • Seong-Ho Lee
  • Hyung-Hyo Lee
  • Bong-Nam Noh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3036)


As traditional host- and network-based IDSs are to detect a single intrusion based on log data or packet information respectively, they inherently generate a huge number of false alerts due to lack of information on interrelated alarms. In order to reduce the number of false alarms and then detect a real intrusion, a new alert analyzing system is needed. In this paper, we propose a rule-based alert correlation system to reduce the number of false alerts, correlate them, and decide which alerts are parts of the real attack. Our alert correlation system consists of an alert manager, an alert preprocessor, an alert correlator. An alert manager takes charge of storing filtered alerts into our alert database. An alert preprocessor reduces stored alerts to facilitate further correlation analysis. An alert correlator reports global attack plans.


  1. 1.
    Carey, N., Clark, A., Mohay, G.: IDS Interoperability and Correlation Using IDMEF and Commodity Systems. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 252–264. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: Proc. Of Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana, December 10-14 (2001)Google Scholar
  3. 3.
    Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proc. Of the 2002 IEEE Symposium on Security and Privacy (May 2002)Google Scholar
  4. 4.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios through Correlation of Intrusion Alerts. In: 9th ACM conference on computer and communications security, November 18-22, pp. 245–254 (2002)Google Scholar
  5. 5.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 74. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Lee, S.H., Park, Y.C., Lee, H.H., Noh, B.N.: The Construction of the Testbed for the Integrated Intrusion Detection Management System. In: Proc. Of 19th KIPS Spring Conference, May 16-17, vol. 10(1), pp. 1969–1972 (2003)Google Scholar
  7. 7.
    Debar, H., Dacier, M., Wespi, A.: Research Report: A Revised Taxonomy for Intrusion Detection Systems. Annales des telecommunications 55(7-8), 361–378 (1997)Google Scholar
  8. 8.
    Buchheim, T., Erlinger, M., Feinsteing, B., Matthews, G., Pollock, R., Bester, J., Walther, A.: Implementing the Intrusion Detection Exchange Protocol. In: Proc. Of 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Louisiana (2001)Google Scholar
  9. 9.
    Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Seong-Ho Lee
    • 1
  • Hyung-Hyo Lee
    • 2
  • Bong-Nam Noh
    • 1
  1. 1.Department of Computer ScienceChonnam National UniversityGwangjuKorea
  2. 2.Division of Information and ECWonkwang UniversityIksanKorea

Personalised recommendations