This paper describes an aggregation and correlation algorithm used in the design and implementation of an intrusion-detection console built on top of the Tivoli Enterprise Console (TEC). The aggregation and correlation algorithm aims at acquiring intrusion-detection alerts and relating them together to expose a more condensed view of the security issues raised by intrusion-detection systems.
Keywords: Intrusion detection, alert aggregation, alert correlation, alert data model
By: Hervé Debar and Andreas Wespi
Published in: Recent Advances in Intrusion Detection, Proc. 4th Int'l Symp., RAID 2001, Davis, CA, October 2001, ed. by W. Lee, L. Mé, A. Wespi, Lecture Notes in Computer Science vol. 2212Berlin, Heidelberg, Springer-Verlag, p.85-103 in 2001
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .