Alertclu: A Realtime Alert Aggregation and Correlation System

Abstract

Intrusion detection can be defined as the process of identifying malicious behavior that targets a network and its resources. An important problem in the field of intrusion detection is the management of alerts. This paper describes a realtime aggregation and correlation system named Alertclu. With the aid of similarity-based alert clustering analysing technology, Alertclu can improve the aggregation of intrusion detection system outputs and allow one to seamlessly incorporate additional information. In addition, Alertclu supports the operators by classifying alerts into true positives and false positives. The results of experiment show that the proposed system is able to reduce the numerous redundant alerts and effectively reduces the analyst operators' workload.