Probabilistic alert correlation
First Claim
1. A method for organizing alerts into alert classes, both the alerts and alert classes having a plurality of features, the method comprising the steps of:
- (a) receiving a new alert;
(b) identifying a set of potentially similar features shared by the new alert and one or more existing alert classes;
(c) updating a minimum similarity requirement for one or more features;
(d) updating a similarity expectation for one or more features;
(e) comparing the new alert with one or more alert classes, and either;
(f1) associating the new alert with the existing alert class that the new alert most closely matches;
or (f2) defining a new alert class that is associated with the new alert.
2 Assignments
0 Petitions
Accused Products
Abstract
This invention uses probabilistic correlation techniques to increase sensitivity, reduce false alarms, and improve alert report quality in intrusion detection systems. In one preferred embodiment, an intrusion detection system includes at least two sensors to monitor different aspects of a computer network, such as a sensor that monitors network traffic and a sensor that discovers and monitors available network resources. The sensors are correlated in that the belief state of one sensor is used to update or modify the belief state of another sensor. In another embodiment of this invention, probabilistic correlation techniques are used to organize alerts generated by different sensors in an intrusion detection system. By comparing features of each new alert with features of previous alerts, rejecting a match if a feature fails to meet or exceed a minimum similarity value, and adjusting the comparison by an expectation that certain feature values will or will not match, the alerts can be grouped in an intelligent manner.
327 Citations
6 Claims
-
1. A method for organizing alerts into alert classes, both the alerts and alert classes having a plurality of features, the method comprising the steps of:
-
(a) receiving a new alert;
(b) identifying a set of potentially similar features shared by the new alert and one or more existing alert classes;
(c) updating a minimum similarity requirement for one or more features;
(d) updating a similarity expectation for one or more features;
(e) comparing the new alert with one or more alert classes, and either;
(f1) associating the new alert with the existing alert class that the new alert most closely matches;
or(f2) defining a new alert class that is associated with the new alert. - View Dependent Claims (2)
-
-
3. A method for organizing alerts having a plurality of features, each feature having one or more values, the method comprising the steps of:
-
(a) generating a group of feature records for a new alert, each feature record including a list of observed values for its corresponding feature;
(b) identifying a set of potentially similar features shared by the new alert and one or more existing alert classes that are associated with previous alerts;
(c) comparing the new alert to one or more alert classes;
(d) rejecting a match if any feature for which a minimum similarity value has been set fails to meet or exceed the minimum similarity value;
(e) adjusting the comparison by an expectation that certain feature values will or will not match, and either;
(f1) associating the new alert with the existing alert class that the new alert most closely matches;
or(f2) defining a new alert class that is associated with the new alert.
-
-
4. In an intrusion detection system that includes a plurality of sensors, each of which generates alerts when attacks or anomalous incidents are detected, a method for organizing the alerts comprising the steps of:
-
(a) receiving an alert;
(b) identifying a set of features that may be shared by the received alert and one or more existing alert classes;
(c) setting a minimum similarity value for one or more features or feature groups;
comparing the new alert to one or more of the alert classes, and either;
(d1) defining a new alert class that is associated with the received alert if any feature or feature group that has a minimum similarity value fails to meet or exceed its minimum similarity value;
or(d2) associating the received alert with the existing alert class that the received alert most closely matches.
-
-
5. A method for organizing alerts into alert classes, both the alerts and alert classes having a plurality of features, the method comprising the steps of:
-
(a) receiving a new alert;
(b) identifying a set of potentially similar features shared by the new alert and one or more existing alert classes;
(c) updating a minimum similarity requirement for one or more features;
(d) comparing the new alert with one or more alert classes, and either;
(e1) associating the new alert with the existing alert class that the new alert most closely matches;
or(e2) defining a new alert class that is associated with the new alert.
-
-
6. A method for organizing alerts having a plurality of features, each feature having one or more values, the method comprising the steps of:
-
(a) generating a group of feature records for a new alert, each feature record including a list of observed values for its corresponding feature;
(b) identifying a set of potentially similar features shared by the new alert and one or more existing alert classes that are associated with previous alerts;
(c) comparing the new alert to one or more alert classes;
(d) rejecting a match if any feature for which a minimum similarity value has been set fails to meet or exceed the minimum similarity value, and either;
(e1) associating the new alert with the existing alert class that the new alert most closely matches;
or(e2) defining a new alert class that is associated with the new alert.
-
Specification