There are several approaches for intrusion detection but none of them is fully satisfactory. They generally generate too many false positives and the alerts are too elementary and not enough accurate to be directly managed by a security administrator. A promising approach is to develop a cooperation module to analyze alerts and to generate more global and synthetic alerts. This paper presents the work we did in this context within the MIRADOR project. We suggest specifications for three functions: alert base management, alert clustering and alert merging. The approach is compliant with the IDMEF format currently being defined at the IETF.
Keywords: Intrusion Detection System, IDMEF, cooperative intrusion detection, alert clustering, alert merging
Read Paper (in PDF)