International Journal of Computer Science and Information Technologies
Alert aggregation is an important subtask of intrusion detection. The goal is to identify and to cluster different alerts - produced by low-level intrusion detection systems, firewalls, etc. Belonging to a specific attack instance which has been initiated by an attacker at a certain point in time. Thus, meta-alerts can be generated for the clusters that contain all the relevant information whereas the amount of data (i.e. alerts) can be reduced substantially. Meta-alerts may then be the basis for reporting to security experts or for communication within a distributed intrusion detection system.