Security information about information systems provided by current intrusion detection systems (IDS) is spread over numerous similar and fine-grained alerts. Security operators are consequently overwhelmed by alerts whose content is too poor. Alarm correlation techniques are used to reduce the number of alerts and enhance their content. In this paper, we tackle the alert correlation problem as an information retrieval problem in order to make the handling of alert groups easier.
展开▼
