Skip to Main Content
For the purpose of reducing redundant alerts and false alerts as well as recognizing complicated attack scenarios, a multilevel model of alert fusion is presented. This model fuses alerts layer upon layer through primary alert reduction, alert verification, alert clustering and alert correlation. In order to construct accurate and complete attack sensors, in the phase of alert clustering, this paper proposes alert correlation method based on the similarity between alert attributes as well as based on prerequisites and consequences of attacks. The experimental results show that the model is effective and efficient in fusing large numbers of alerts.