Alert correlation in intrusion detection: Combining AI-based approaches for exploiting security operators' knowledge and preferences

Alert correlation is a crucial problem for monitoring and securing computer networks. It consists in analyzing the alerts triggered by intrusion detection systems (IDSs) and other security related tools in order to detect complex attack plans, discover false alerts, etc. The huge amounts of alerts raised continuously by IDSs and the impossibility for security operators to efficiently analyze them requires tools for eliminating false and redundant alerts on the one hand and prioritize them according the detected activities’ dangerousness and preferences of the analysts on the other hand. In this paper, we describe an architecture that combines AI-based approaches for representing and reasoning with security operators’ knowledge and preferences. Moreover, this architecture allows to combines experts’ knowledge with machine learning and classifier based tools. This prototype collects the alerts raised by security related tools and analyzes them automatically. We first propose formalisms for representing both background and contextual knowledge on the monitored network, known attacks and vulnerabilities. We then propose another logic-based formalism for representing and reasoning with operators’ preferences regarding the events and alerts they want analyze in priority. We after that propose probabilistic models for detecting and predicting attack plans and severe attacks. Finally, we provide further discussions and future work directions.