View article

Managing and analyzing a huge number of low-level alerts is very difficult and exhausting for network administrators. Alert correlation methods have been proposed to decrease the number of alerts and make them more intelligible. Proposed methods for alert correlation are different in terms of their performance, accuracy and adaptivity. We present a new hybrid model not only to correlate alerts as accurately and efficiently as possible but also to be able to boost the model in the course of time. The model presented in this paper consists of two parts: (1) an attack graph-based method to correlate alerts raised for known attacks and hypothesize missed alerts and (2) a similarity-based method to correlate alerts raised for unknown attacks which can not be correlated using the first part and also to update the attack graph. These two parts cooperate with each other such that if the first part could not correlate a new alert …