Skip to Main Content
With the growing deployment of intrusion detection systems, managing reports from these systems become critically important. In situations where there are intensive intrusive actions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the intrusions behind the alerts and to take appropriate actions. Even if isolated events are not considered significant, the set of events may be critical. The alert correlation analysis is related to examine meaningful relationships between alert messages. The situation analysis is a branch of the alert correlation analysis. It is to observe attack activities by aggregating alerts that have certain characteristics in common. In this paper, we present an effective and practical situation analysis scheme that provides realtime analysis capability.