# Alert Correlation

* Different attack manifestations
    * Network packets
    * OS Calls
    * Audit records
    * Application logs
* Different types of intrusion detection
    * Host vs network
    * IT environment (e.g., Windows vs Linux)
    * Level of abstraction (e.g., kernel leve vs application level)
* Goal:
    * Aggregate outputs of multiple IDSs
    * Filter out irrelevant alerts
    * Provide succinct view of security-related activity on the network

## Components
* Normalization: translate alerts to a common format
* Preprocessing: augment normalized alerts by assigning meaningful values to all alert attributes
    * start time, end time
    * source, target
* Fusion: combine alerts representing the same attack by different IDSs
* Verification: determine the success of the attack corresponding to the alert
* Thread reconstruction: combine series of alerts due to attacks by a single attacker against a single target
* Session reconstruction: associate network-based alerts and host-based alerts
* Focus recognition: identify hosts that are source or target of many attacks
    * DoS, port scanning
* Multistep correlation: identify common attack patterns
    * sequence of individual attacks at different points of network
    * example: island hopping
* impact analysis: determine the attack impact for the specific network
* prioritization: assign priorities to alerts

## Alert preprocessing
* supply missing alert attributes as accurately as possible
    * use several heuristics

## Alert Fusion
* Goal: combine alerts representing independent detection of a same attack by different IDSs
* Fusion: Temporal difference between alerts and information they contain
    * keep sliding time window of alerts
    * Alerts within the time window stored in a time-ordered queue
    * Upon new alert, compared to alerts in queue
    * Match if all overlaping attributes are equal and new alert is produced by different sensor
    * Upon a match, alerts are merged; resulting meta-alert replaces the matched alert in the queue
    
## Alert Verification
* True positive
* Ireelevant positive
* False positive
* Idea extending intrusion detection signatures with an expected "outcome" of the attack
    * visible and verifiable traces left by attack
    * example: temporary file, outgoing connection

## Attack thread reconstruction
* combines a series of alerts due to attacks by one attacker against a single target
* idea: merging alerts with equivalent source and target attributes in temporal proximity

## Attack session reconstruction
* Goal: link network-based alerts to related host-based alerts
* Idea: rought spatial and temporal correspondence between the alerts

## Attack focus recognition
* Goal: identify hosts that are either the source or the target of a substantial number of attacks

## Multistep correlation
* Goal: identify high-level attack patterns that are composed of several individual attacks
* High-level attack signatures
    * Example: recon-breakin-escalate, island hopping