An adaptive alert correlation method based on pattern mining and clustering analysis

Multi-step attack is one of the primary forms of the current attacks. There are some relationships among each step of attacks, such as redundancy relationship and causality relationship. But the relationships among security events are often ignored by the current intrusion detection systems (IDS), and an important problem in the field of IDS is a large volume of false positive which tends to overwhelm human operators. On the basis of analyzing the evolution and drawbacks of current alert correlation systems, a self-adapted alarming association method, A3PC, is presented based on anomaly detection ideas and centering on the concept of behavior patterns generated by alerts. The alert classification model is created by extracting association rules and series patterns in order to automatically discriminate the false alerts. At the same time, effective and condensed alerts view for administrators can be shaped based on the combinative idea of pattern mining and clustering analysis and the semiautomatic interactive processing approach. The accuracy of intrusion detection systems is thus enhanced. The DARPA intrusion scenario dataset from MIT Lincoln Lab is used to evaluate the function and performance of A3PC. The experiments results indicate that A3PC is superior to the traditional methods in accuracy, real-time and adaptivity.