TRINETR: an intrusion detection alert management systems

In response to the daunting threats of cyber attacks, a promising approach is computer and network forensics. Intrusion detection system is an indispensable part of computer and network forensics. It is deployed to monitor network and host activities including dataflows and information accesses etc. But current intrusion detection products presents many flaws including alert flooding, too many false alerts and isolated alerts etc. We describe an ongoing project to develop an intrusion alert management system $TRINETR. We present a collaborative architecture design for multiple intrusion detection systems to work together to detect real-time network intrusions. The architecture is composed of three parts: alert aggregation, knowledge-based alert evaluation and alert correlation. The architecture is aimed at reducing the alert overload by aggregating alerts from multiple sensors to generate condensed views, reducing false positives by integrating network and host system information into alert evaluation process and correlating events based on logical relations to generate global and synthesized alert report. The first two parts of the architecture have been implemented and the implementation results are presented.