Investigation of the Effectiveness of Alert Correlation Methods in a Policy-Based Security Framework

  • Bartłomiej Balcerek
  • Piotr Dragan
  • Bogdan Trawinski
  • Marcin Wojtkicwicz
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1)


The investigation of the effectiveness of alert correlation methods implemented in the Alert Correlation Module was presented in the paper. The module was developed within the POSITIF project (Policy-based Security Tools and Framework) funded by the European Commission. Three effectiveness metrics were applied: reduction coefficient average ancestor count in alert trees and percentage of meta-alerts in outgoing alerts. Research was conducted using a test environment comprising 14 computers with IDS installed. Network traffic was monitored for 40 days, and during this time the IDSs generated 211 251 alerts. The module correlated and recognized as dangerous 6994 of them therefore achieving a level of reduction equal to 96.69 percent, which could be regarded as a good results.


intrusion detection alert correlation alert merging 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  2. 2.
    Danyliv, R., Meijer, J., Demchenko, Y.: The Incident Object Description Exchange Format (2006),
  3. 3.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (2006),
  4. 4.
    Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)Google Scholar
  5. 5.
    Dörges, T., Kossakowski, K.P.: Proactive Security Monitoring in a Policy Managed Network. In: 18th Annual FIRST Conference (2006)Google Scholar
  6. 6.
    Lioy, A.: Positif (Policy-based Security Tools and Framework)—Annex (2003)Google Scholar
  7. 7.
    POSITIF Project Website (2003),
  8. 8.
    Prelude-IDS Project Websites.
  9. 9.
    Rose, M.: The Blocks Extensible Exchange Protocol Core (2001),
  10. 10.
    Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol 2212, pp. 54–68. Springer, Heidelberg (2001)Google Scholar
  11. 11.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Transactions On Dependable and Secure Computing 1(3), 146–169 (2004)CrossRefGoogle Scholar
  12. 12.
    Xu, D., Ning, P.: Alert Correlation through Triggering Events and Common Resources. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, pp. 360–369. Springer, Heidelberg (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Bartłomiej Balcerek
    • 1
  • Piotr Dragan
    • 1
  • Bogdan Trawinski
    • 2
  • Marcin Wojtkicwicz
    • 1
  1. 1.Wrocław Centre for Networking and supercomputingWrocławPoland
  2. 2.Institute of Applied InformaticsWrocław University of TechnologyWrocławPoland

Personalised recommendations