Online Intrusion Alert Aggregation with Generative Data Stream Modeling
Alert aggregation is an important subtask of intrusion detection. The goal is to identify and to cluster different alerts - produced by low-level intrusion detection systems, firewalls, etc. - belonging to a specific attack instance which has been initiated by an attacker at a certain point in time. Thus, meta-alerts can be generated for the clusters that contain all the relevant information whereas the amount of data (i.e., alerts) can be reduced substantially. Meta-alerts may then be the basis for reporting to security experts or for communication within a distributed intrusion detection system. The authors propose a novel technique for online alert aggregation which is based on a dynamic, probabilistic model of the current attack situation.