Real-time Alert Correlation Using Stream Data Mining Techniques.

With the large volume of alerts produced by low-level detectors, management of intrusion alerts is becoming more challenging. Alert Correlation addresses this issue by providing a condensed, yet more useful view of the network from the intrusion standpoint. In this paper, we propose a new framework for real-time alert correlation that incorporates novel techniques for aggregating alerts into structured patterns and incremental mining of frequent structured patterns. In the proposed framework, time-sensitive statistical relationships between alerts are maintained in an efficient data structure and are updated incrementally to reflect the latest trends of patterns. The results of experiments with synthetic and real-world datasets demonstrate the efficiency of the proposed techniques. Our Frequent Structure Mining algorithm scales linearly with the size of the dataset and the proposed framework can cope with the throughput of a large-scale network. The ability to answer time-sensitive queries about patterns is another advantage of this work compared to other methods.