Integrating security operator knowledge and preferences to the alert correlation process

Abstract

Intrusion Detection Systems (IDS) are necessary for the system monitoring. However they produce a huge quantity of alerts. Alert correlation is a process applied to the IDS alerts in order to reduce their number. In this paper we propose a new approach for alert correlation which enables the integration of new information to the alert correlation process: Security operator's knowledge and preferences. This information concerns the monitoring system and the risk level of each alert in according for instance to the operator's experiences. The representation and the reasoning on these knowledge and preferences are done using the Qualitative Choice Logic (QCL) and its extensions: Prioritized Qualitative Choice Logic (PQCL) and Positive Qualitative Choice Logic (QCL+). Experimental results are achieved on data from a real system monitoring. The result is a set of ordered alerts which satisfies operator's criteria.