Browse Prior Art Database

Method and System for Autonomic Generation of Site-Specific Correlation Rules Disclosure Number: IPCOM000021694D
Original Publication Date: 2004-Feb-03
Included in the Prior Art Database: 2004-Feb-03
Document File: 2 page(s) / 46K

Publishing Venue



Disclosed is a framework for automatically finding site-specific correlation rules for intrusion detection alert correlation.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

Method and System for Autonomic Generation of Site -Specific Correlation Rules

1. Background

Intrusion detection alerts (alerts for short) are extremely abundant and redundant. It is therefore ineffective to present individual alerts to the intrusion detection analyst (analyst, for short). As a work-around, one typically correlates alerts into alert groups, i.e. groups of related alerts. Then, only the alert groups, but not their constituent alerts, are presented to the analyst. Unfortunately, it is a very difficult problem to find good correlation rules, i.e. good rules for grouping alerts into alert groups. This difficulty of finding good correlation rules arises because each deployment of intrusion detection systems (IDSs) triggers a unique and site-specific mix of alerts. This mix is site-specific because it depends on the IDSs installed, the topology of the site, software installed at the site, and many other characteristics of the site.

The conventional solution consists in manually crafting and tweaking site-specific correlation rules. Clearly, this solution is costly and error-prone.

This text describes a framework for automatically finding site-specific correlation rules, while aging and discarding old ones. This vastly reduces the cost and error-potential of correlation.

2. Summary of the Idee

The main ideas can be summarized as follows:

(1) Apply data mining to extract human-understandable alert patterns (HUAPs) from the alerts triggered by one

or several IDSs.

--> Note: A HUAP is meaningful to and interpretable by an analyst; that's what "human-understandable" means.

(2) Use these HUAPs as correlation rules, i.e. match all incoming alerts against the library of HUAPs

Once a HUAP has been instantiated (i.e. all its constituent alerts have been matched by incoming

alerts), the correlation engine triggers a meta...