Event Correlation on the Basis of Activation Patterns

Intrusion Detection Systems (IDS) deploy various sensors that collect data, process this data and report events. The process of combining these events or superordinate incidences is known as event correlation. The key issues of this process are (1) to find a way how to combine events based on different data types (e. g. log entries, connection statistics or protocol identifiers), (2) to build a model representing the relations between the events and (3) to apply subsequent analysis that allow us to extract meaningful information from the trained model. In order to address these key issues, we introduce the concept of Activation Patterns. These patterns are generated by applying various techniques from machine learning and artificial intelligence to the raw event data. The presented technique is then integrated into an event correlation system. We describe the system and evaluate it by analyzing a popular intrusion detection data set consisting of a wide range of different features.