Skip to main content
Article thumbnail
Location of Repository

Data Reduction in Intrusion Alert Correlation

By Gianni Tedesco and Uwe Aickelin


Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack

Year: 2006
OAI identifier:
Provided by: Nottingham ePrints

Suggested articles


  1. (2002). and Token Bucket Flow Control."
  2. Attack Plan Recognition and Prediction Using Causal Networks”.
  3. Automated Generation and Analysis of Attack Graphs.”
  4. congestion control framework for highspeed integrated
  5. Evasion Intrusion
  6. Fun With Packets: Designing a Stick.”
  7. Hierarchical token bucket theory."
  8. J. (or which way to the information age?)"
  9. Jajoda. “An Efficient Unified Approach to Correlating Hypothesising, and Predicting Intrusion Alerts.”
  10. Marty Detection for Networks".
  11. Robert through Integration of Complementary Alert Methods.” and
  12. The Science of Intrusion Detection System Attack Identification." Systems.2002, c/pd/sqsw/sqidsz/prodlit/idssa_wp. htm
  13. Topological analysis of network attack vulnerability.” Managing Cyber Threats: Issues, Approaches and Challenges,

To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.