Abstract: Alert correlation is a significant technique for arranging large volume of intrusion alerts that are produced by Intrusion Detection Systems (IDSs). The popular trend of research in this area is to drawn out the attack strategies from unprocessed intrusion alerts. The general belief about intrusion detection is that it cannot satisfy the security requirements of organizations. Now, Intrusion response and prevention are becoming very important for preventing the network and removing damage. To launch proper response to stop attacks and prevent them from increasing, it is important to know the real situation of a network and the strategies used by the attackers. This is also the primary aim of using alert correlation technique. However, many of the current alert correlation techniques only focus on grouping inter-connected alerts into different sets without further verifying the strategies of the attackers. The main aim of this paper is to focus on developing a new alert correlation technique that can help to automatically extract attack strategies from a large volume of intrusion alerts, without any prior knowledge about these alerts. The proposed approach is based on two network approaches, namely, Multilayer Perceptron (MLP) and Support Vector Machine (SVM). The output of these two methods is used to verify with which previous alerts, this current alert should be related. This suggests the relationship of two alerts, which is helpful for determining attack scenarios. One of the important features of this technique is that an Alert Correlation Matrix (ACM) is used to store correlation strengths of any two types of alerts. ACM is updated in the training process. The information is then used for drawn out high level of attack strategies.
Keywords: ACE (Alert Correlation Matrix), MLP (Multi-Layer Perceptron), SVM (Support Vector Machine)..