Probabilistic alert correlation
First Claim
1. In an intrusion detection system that includes a plurality of sensors that generate alerts when attacks or anomalous incidents are detected, a method for organizing the alerts into alert classes, both the alerts and the alert classes having a plurality of features, the method comprising:
- (a) receiving a new alert;
(b) identifying a set of similar features shared by the new alert and one or more existing alert classes;
(c) updating, using a processor, a threshold similarity requirement for one or more of the similar features;
(d) updating, using a processor, a similarity expectation for one or more of the similar features;
(e) comparing, using a processor, the new alert with the one or more existing alert classes, using a similarity measure Sim(X,Y) that expresses a similarity between the new alert and a given one of the one or more existing alert classes, where SIM(X,Y) is defined as;
2 Assignments
0 Petitions
Accused Products
Abstract
This invention uses probabilistic correlation techniques to increase sensitivity, reduce false alarms, and improve alert report quality in intrusion detection systems. In one preferred embodiment, an intrusion detection system includes at least two sensors to monitor different aspects of a computer network, such as a sensor that monitors network traffic and a sensor that discovers and monitors available network resources. The sensors are correlated in that the belief state of one sensor is used to update or modify the belief state of another sensor. In another embodiment of this invention, probabilistic correlation techniques are used to organize alerts generated by different sensors in an intrusion detection system. By comparing features of each new alert with features of previous alerts, rejecting a match if a feature fails to meet or exceed a minimum similarity value, and adjusting the comparison by an expectation that certain feature values will or will not match, the alerts can be grouped in an intelligent manner.
-
Citations
6 Claims
-
1. In an intrusion detection system that includes a plurality of sensors that generate alerts when attacks or anomalous incidents are detected, a method for organizing the alerts into alert classes, both the alerts and the alert classes having a plurality of features, the method comprising:
-
(a) receiving a new alert; (b) identifying a set of similar features shared by the new alert and one or more existing alert classes; (c) updating, using a processor, a threshold similarity requirement for one or more of the similar features; (d) updating, using a processor, a similarity expectation for one or more of the similar features; (e) comparing, using a processor, the new alert with the one or more existing alert classes, using a similarity measure Sim(X,Y) that expresses a similarity between the new alert and a given one of the one or more existing alert classes, where SIM(X,Y) is defined as; - View Dependent Claims (2)
-
-
3. A computer readable storage medium containing an executable program for organizing alerts that are generated by a plurality of sensors into alert classes, both the alerts and the alert classes having a plurality of features, where the program, when executed by a processor, causes the processor to perform steps of:
-
(a) receiving a new alert; (b) identifying a set of similar features shared by the new alert and one or more existing alert classes; (c) updating a threshold similarity requirement for one or more of the similar features; (d) updating a similarity expectation for one or more of the similar features; (e) comparing the new alert with the one or more existing alert classes, using a similarity measure Sim(X,Y) that expresses a similarity between the new alert and a given one of the one or more existing alert classes, where SIM(X,Y) is defined as; - View Dependent Claims (4)
-
-
5. In an intrusion detection system that includes a plurality of sensors that generate alerts when attacks or anomalous incidents are detected, a system for organizing the alerts into alert classes, both the alerts and the alert classes having a plurality of features, where the system comprises:
-
(a) means for receiving a new alert; (b) means for identifying a set of similar features shared by the new alert and one or more existing alert classes; (c) means for updating a threshold similarity requirement for one or more of the similar features; (d) means for updating a similarity expectation for one or more of the similar features; (e) means for comparing the new alert with the one or more existing alert classes, using a similarity measure Sim(X,Y) that expresses a similarity between the new alert and a given one of the one or more existing alert classes, where SIM(X,Y) is defined as; - View Dependent Claims (6)
-
Specification