Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion r...

TRINETR: An Intrusion Detection Alert Management and Analysis System by Jinqiao Yu Intrusion detection system (IDS) is a software system or hardware device deployed to monitor network and host activities including data flows and information accesses etc. to capture suspicious activities. In recent years, IDS has began to gain wide acceptance as a necessary and worthwhile investment on security....

The need for higher-level reasoning capabilities beyond low-level sensor abilities has prompted researchers to use different types of sensor fusion techniques for better situational awareness in the intrusion detection environment. These techniques primarily vary in terms of their mission objectives. Some prioritize alerts for alert reduction, some cluster alerts to identify common attack patte...

In order to reduce the numbers of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS) in real-world situations, several alert correlation approaches that integrate and jointly analyse the alert streams of different alert sensors have been proposed. Inspired by the mental process of contextualisation used by security analysts to weed out less relevant...

We present a novel alert correlation approach based on the factor analysis statistical technique for malware characterization. Our approach involves mechanically computing a set of abstract quantities, called factors, for expressing the intrusion detection system (IDS) alerts pertaining to malware instances. These factors correspond to patterns of alerts, and can be used to succinctly character...

As for network security, post-IDS alert analysis has become a fashion in view of collaboration and correlation, and context-aware alert verification is one of the main solutions. In order to guarantee a unified representation of related information and knowledge, this paper tries to introduce basic-elements and the extension method into the study on context-aware alert verification. This paper ...

As enterprises deploy multiple intrusion detection sensors at key points in their networks, the issue of correlating messages from these sensors becomes increasingly important. A correlation capability reduces alert volume, and potentially improves detection performance through sensor reinforcement or complementarity. Correlation is especially advantageous when heterogeneous sensors are employe...