ACARM-ng: Next Generation Correlation Framework

  • Bartłomiej Balcerek
  • Bartosz Szurgot
  • Mariusz Uchroński
  • Wojciech Waga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7136)


ACARM-ng is an extensible, plug-in-based alert correlation framework. It introduces abstractions over correlation, reporting, reaction, gathering data from multiple sources and data storage. ACARM-ng supports real-time reporting, meaning that alerts can be reported while still being correlated. For an administrator, a Web User Interface is provided, to present gathered and correlated data in a consistent way. The system makes use of multi-core architectures and is written in C++.


correlation alerts IDMEF framework IDS IPS 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ACARM home page (first version) (2009),
  2. 2.
    ACARM-ng home page (2010),
  3. 3.
    Adams, J., William J.: Lynn meets with NATO leaders for Cybersecurity Discussions (2010)Google Scholar
  4. 4.
  5. 5.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy, pp. 202–215 (2002)Google Scholar
  6. 6.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1 (2004)Google Scholar
  7. 7.
    Gadu-Gadu instant messaging protocol,
  8. 8.
    Debar, H., Curry, D., Feinstein, B.: RFC 4765: The intrusion detection message exchange format (IDMEF) (2007)Google Scholar
  9. 9.
    Helman, P., Liepins, G., Richards, W.: Foundations of intrusion detection. In: The IEEE Computer Security Foundations Workshop V (1992)Google Scholar
  10. 10.
    Jabber XMMP-based communicator,
  11. 11.
    Jones, A.K., Sielken, R.S.: Computer system intrusion detection: A survey. Tech. rep., University of Virginia, Charlottesville, VA (1999)Google Scholar
  12. 12.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing Intensive Intrusion Alerts via Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Nova – computing cluster at WCSS,
  14. 14.
    OSSEC – host-based intrusion detection system,
  15. 15.
    OSSIM – open source security information management,
  16. 16.
    Postgresql open source database,
  17. 17.
    Prelude intrusion detection system,
  18. 18.
    Rootkit Hunter project,
  19. 19.
    Rose, M.: RFC 3080: BEEP – The Blocks Extensible Exchange Protocol (2011)Google Scholar
  20. 20.
    Snort intrusion detection system,
  21. 21.
    SQLite – server-less, transactional database,
  22. 22.
    Sutter, H.: The free lunch is over: a fundamental turn toward concurrency in software (2009)Google Scholar
  23. 23.
    Wrocław Centre for Networking and Supercomputing,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bartłomiej Balcerek
    • 1
  • Bartosz Szurgot
    • 1
  • Mariusz Uchroński
    • 1
  • Wojciech Waga
    • 1
  1. 1.WCSSWrocław University of TechnologyWrocławPoland

Personalised recommendations