Intrusion-Detection Alerts Processing Based on Fuzzy Comprehensive Evaluation

An algorithm based on fuzzy comprehensive evaluation for correlating the alerts produced by intrusion detection systems is presented. The paper also gives an approach to learn the confidence metric for each type of alerts, which can be used to filter alerts further. The false positive alerts and duplicate alerts can be reduced significantly by using both the correlation algorithm and the confidence learning method. Meanwhile, the working intensity of network administrators can be reduced gradually. In addition, the correlated alerts are helpful to capture the logical steps or strategies behind attacks and choose appropriate actions to stop ongoing attacks. It can be potentially used to integrate different kinds of security tools together in order to realize the goal of cooperative defence for network systems.