An alert correlation approach based on security operator's knowledge and preferences

摘要

One of the major problems of intrusion detection concerns the large amount of alerts that intrusion detection systems (IDS) produce. Security operator who analyzes alerts and takes decisions, is often submerged by the high number of alerts to analyze. In this paper, we present a new alert correlation approach based on knowledge and preferences of security operators. This approach, which is complementary to existing ones, allows to rank-order produced alerts on the basis of a security operator knowledge about the system, used IDS and his preferences about alerts that he wants to analyze or to ignore. Our approach is based on the development of a new non-classical logic for representing preferences, called FO-MQCL (First Order - Minimal Qualitative Choice Logic). Our logic extends a fragment of the first order logic by adding a new logical connective. The general idea is to present only alerts that fully fit security operator's preferences and knowledge. And if needed, less preferred alerts can also be presented.