An Architecture for Alert Correlation Inspired By a Comprehensive Model of Human Immune System

Alert correlation is the process of analyzing, relating and fusing the alerts generated by one or more Intrusion Detection Systems (IDS) in order to provide a high-level and comprehensive view of the security situation of the system or network. Different approaches, such as rule-based, prerequisites consequences-based, learning-based and similarity-based approach are used in correlation process. In this paper, a new AIS-inspired architecture is presented for alert correlation. Different aspects of human immune system (HIS) are considered to design iCorrelator. Its three-level structure is inspired by three types of responses in human immune system: the innate immune system's response, the adaptive immune system's primary response, and the adaptive immune system's secondary response. iCorrelator also uses the concepts of Danger theory to decrease the computational complexity of the correlation process without considerable accuracy degradation. By considering the importance of signals in Danger theory, a new alert selection policy is introduced. It is named Enhanced Random Directed Time Window (ERDTW) and is used to classify time slots to Relevant (Dangerous) and Irrelevant (Safe) slots based on the context information gathered during previous correlations. iCorrelator is evaluated using the DARPA 2000 dataset and a netForensics honeynet data. Completeness, soundness, false correlation rate and the execution time are investigated. Results show that iCorrelator generates attack graph with an acceptable accuracy that is comparable to the best known solutions. Moreover, inspiring by the Danger theory and using context information, the computational complexity of the correlation process is decreased considerably and makes it more applicable to online correlation.