A new alert correlation framework based on entropy

With the development of computer networks, security devices produce a large volume of low-level alerts. Analysis and management of these intrusion alerts is troublesome and time consuming task for network supervisors and intrusion response systems. The alert correlation methods find similarity and causality relationships between raw alerts to reduce alert redundancy, intelligently correlate security alerts and detect attack strategies. Several different approaches for alert correlation have been proposed which are desired for detecting known attack scenarios. This paper presents a new alert correlation framework without using predefined knowledge. For this purpose, we define the concept of partial entropy for each alert to find the alert clusters with the same information. Then we represent the alert clusters by intelligible notation called hyper-alert. Finally a subset of hyper-alerts is selected based on the entropy maximization. The results of experiments clearly show the efficiency of the proposed framework. We achieved the promising reduction ratio of 99.83% in LLS_DDOS_1.0 attack scenario in DARPA2000 dataset while the constructed hyper-alerts have the enough information to discover the attack scenario.