AutoCorrel I – A Neural Network Event Correlation Approach


  1. Dondo, M.
  2. Japkowicz, N.
  3. Smith, R.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN)
Intrusion detection analysts are often swamped by multitudes of alerts originating from installed intrusion detection systems (IDS) as well as logs from routers and firewalls on the networks. Properly managing these alerts and correlating them to previously seen threats is critical in the ability to effectively protect a network from attacks. Manually correlating events can be a slow tedious task prone to human error. We present a two-stage alert correlation approach involving an artificial neural network (ANN) autoassociator and a single parameter decision threshold-setting unit. By clustering closely matched alerts together, this approach would be beneficial to the analyst. In this approach, alert attributes are extracted from each alert content and used to train an autoassociator. Based on the reconstruction error determined by the autoassociator, closely matched alerts are grouped together. Whenever a new alert is received, it is automatically categorised into one of the alert clusters which identify the type of attack and its severity level as previously known by the analyst. If the attack is entirely new and there is no match to the existing clusters, this would be appropriately reflected to the analyst. There are several advantages to using an ANN based approach. First, ANNs acquire knowledge straight from the data without the need for a human expert to build sets of domain rules and facts. Second, once trained, ANNs can be very fast, accurate and have high precision f

Il y a un résumé en français ici.

Neural Network;Intrusion Detection System;Network Event Correlation;Alert Correlation;Autoassociator
Report Number
DRDC-OTTAWA-TM-2005-193 — Technical Memorandum
Date of publication
01 Oct 2005
Number of Pages

Permanent link

Document 1 of 1

Date modified: