Abstract:
Alert correlation is a promising technique in intrusion detection. It analyzes the alerts
from one or more intrusion detection system and provides a compact summarized
report and high-level view of attempted intrusions which highly improves security
effectiveness. Correlation component is a procedure which aggregates alerts
according to certain criteria. The aggregated alerts could have common features or
represent steps of pre-defined scenario attacks. Correlation approaches composed of
a single component or a comprehensive set of components. The effectiveness of a
component depends heavily on the nature of the real alerts or the dataset analyzed.
The order of correlation components affects the correlation process performance.
Moreover not all components should be used for different dataset. This paper
presents implementation of an Agent Based Correlation Model for real-time intrusion
detection alerts. Learning agent learns the nature of alerts within a network then
guides the whole correlation process and components in such a suitable way of which
components could be used and in which order. The model improves the performance
of correlation process by selecting the proper components to be used. The simulation
results showed that ABCM model assures minimum alerts to be processed on each
component depending on the dataset and minimum time for correlation process.