Enhancing the Content of the Intrusion Alerts Using Logic Correlation.

To solve the problem of the alert flooding and information semantics in the existing IDS, the approach using the logic correction to enhance the content of the alerts is presented. The Chronicle based on time intervals is presented to describe the temporal time constrains among intrusion alerts, and the Chronicle patterns are designed to integrate the alerts of the sequence generated by an attacker into a high-level alert. Then the preparing relation between the high-level alerts is defined and the one-order logic algorithm is applied to correlate these high-level alerts with the preparing relationship. The attack scenario is constructed by drawing the attack graph. In the end an example is given to show the performance of this algorithm in decreasing the number and improving the information semantics of the intrusion alerts. [ABSTRACT FROM AUTHOR]