Deakin Research Online
Deakin University’s institutional research repository
DDeakin Research Online
This is the published version ( version of record) of:
Wen, Sheng, Xiang, Yang and Zhou, Wanlei 2010, A lightweight intrusion alert fusion
system, in HPCC 2010 : Proceedings of the 12th IEEE International Conference on High
Performance Computing and Communications, IEEE, Piscataway, N.J., pp. 695-700.
©20 IEEE. Personal use of this material is permitted. However, permission to
reprint/republish this material for advertising or promotional purposes or for creating
new collective works for resale or redistribution to servers or lists, or to reuse any
copyrighted component of this work in other works must be obtained from the IEEE.
Copyright : 2010, IEEE
A Lightweight Intrusion Alert Fusion System
School of Information Science and Engineering
Central South University
Yang Xiang, Wanlei Zhou
School of Information Technology
yang.xiang | email@example.com
Abstract— In this paper, we present some practical experience
on implementing an alert fusion mechanism from our project.
After investigation on most of the existing alert fusion systems,
we found the current body of work alternatively weighed down
in the mire of insecure design or rarely deployed because of
their complexity. As confirmed by our experimental analysis,
unsuitable mechanisms could easily be submerged by an
abundance of useless alerts. Even with the use of methods that
achieve a high fusion rate and low false positives, attack is also
possible. To find the solution, we carried out analysis on a
series of alerts generated by well-known datasets as well as
realistic alerts from the Australian Honey-Pot. One important
finding is that one alert has more than an 85% chance of being
fused in the following 5 alerts. Of particular importance is our
design of a novel lightweight Cache-based Alert Fusion
Scheme, called CAFS. CAFS has the capacity to not only
reduce the quantity of useless alerts generated by IDS
(Intrusion Detection System), but also enhance the accuracy of
alerts, therefore greatly reducing the cost of fusion processing.
We also present reasonable and practical specifications for the
target-oriented fusion policy that provides a quality guarantee
on alert fusion, and as a result seamlessly satisfies the process
of successive correlation. Our experimental results showed that
the CAFS easily attained the desired level of survivable,
inescapable alert fusion design. Furthermore, as a lightweight
scheme, CAFS can easily be deployed and excel in a large
amount of alert fusions, which go towards improving the
usability of system resources. To the best of our knowledge,
our work is a novel exploration in addressing these problems
from a survivable, inescapable and deployable point of view.
Keywords-Alert fusion, Cache-based mechanism, Target-
The emergence of alert fusion techniques has
significantly changed the troublesome job of analysing rough
alerts, which originally belonged to network security
administrators. However, most alert fusion systems
themselves are not survivable because, for example, a job
that comes across the alerts as overwhelming can barely
survive from the tens of thousands of meaningful or
meaningless alerts because the system does not have the
efficiency to deal with it. We analysed this problem laterally
by using two facts: (1) in some networks, the firewall is set
to drop ‘ping’ packets and an inside IDS monitors its
existence. We bypass the firewall and bomb the inside IDS
with ‘ping’. In our experiment with one Snort deployed, the
alert emission speed reached more than 100 pieces per
second. (2) Some “IDS stress tools” like Stick  and Snot
, produce IP packets capable of triggering rules from a
spoofed IP range into a target IP range. Stick is reported to
be able to produce alerts at around 250 pieces per second. If
this happens on a large-scale, the fusion phase could easily
be overwhelmed by the emitted alerts without appropriate
Alert fusion approaches are generally deployed in a
large-scale network environment. There exists a trade-off
between scalability and complexity. We believe the reason
for this is basically the low efficiency of alert fusion
processing. As long as efficiency is supported, the conflict
between scalability and complexity will be relieved.
As summarized by Viinikka in , most approaches of
alert processing aim to eliminate false alerts and/or adjust the
alert priority using additional information. Like most aspects
of network security, it is a case of attackers developing new
methods and defenders developing new countermeasures
against these attacks. Once these countermeasures become
accepted practice, the attackers
countermeasures, ad infinitum. The sticking point is the
existence of a threshold. Most mechanisms implicitly have a
presupposition (except for some statistical methods applied
in algorithms like  and absolute fusion and correlation like
). Drawing lessons from game theory , attackers are not
thought to be stupid because they will not launch attacks
using pre-arranged routes.
A serious approach to the problems above, involves
satisfying the survivable, inescapable properties as well as
being easily deployed within the aimed system. In the alert
fusion field, this task may intuitively develop in fusion
efficiency. As far as we know, there are few papers that deal
with this as a whole. In this paper, we make this our concern.
We firstly analysed the alerts from traditional and
classical security datasets (Darpa datasets , Defcon 8 & 10
, Treasure Hunt ). One interesting pattern we found
was that an alert had more than an 85% chance of being
fused in its successive 5 alerts. The probability reached more
than 90% in 10 successive alerts. This interesting
phenomenon indicates that most of the alerts are consecutive
in time as well as compact in position. It is similar to the
application of a cache mechanism in a CPU and Operation
System. We believe it is possible to introduce this
mechanism into an alert fusion.
We explored the existence of a pattern resembling cache
in a realistic network environment. However, when the alerts
2010 12th IEEE International Conference on High Performance Computing and Communications
978-0-7695-4214-0/10 $26.00 © 2010 IEEE
were collected, the fusion process should have followed an
alert fusion policy which was a set of matching rules. To deal
with the problem of evading possibility, we designed a
simple but more effective method: target-oriented policy.
The alerts were mainly clustered as long as they satisfied the
requirements of duplicated category and co-operating
category (having same destination and attack type).
Our work contributes to improving the survivable status
of the fusion system. This is mainly through the cache-based
design for efficient promotion and reasonable fusion. Our
work also contributes to simple target-oriented policy, which
brings the assurance of a more suitable and reasonable
output, especially in accordance with the state machine
correlation because the whole system performs well in its
inescapable nature. A further contribution of our work is a
lightweight scheme for large-scale intrusion alert fusion. The
structure of CAFS is a simple two-layer cascaded fusion in
which the first layer fuses alerts of single IDS and the next
layer mainly acts as a collector and relay. The cache-based
and target-oriented mechanisms were applied in CAFS. With
significant decreases in efficiency and complexity, we think
this lightweight fusion engine is more suitable to be used on
The remainder of this paper is organized as follows:
Section 2 reviews related work. Section 3 elaborates on the
analysis of alerts, which is the basis of this paper. Section 4
presents CAFS, which is simple, efficient and scalable in
most applications. Section 5 reports on our experiments, and
Section 6 concludes this paper and points to future research
II.TYPESTYLE AND FONTS
The process of EMERALD  implemented a
‘probabilistic’ alert fusion engine. Instead of using a large,
crisp time-window, in another paper , the same authors
advocated the use of fuzzy intervals. Thomas and
Balakrishnan  addressed the trade-off between the
detection rate and false alerts. They found the performance
of the detector was better when the fusion threshold was
determined according to the Chebyshev inequality. Readers
can find similar research on the application of probabilistic
methods in  and .
Another representative method is the slicing of alerts into
several categories. Oliver Dain  assigned each of these
alerts to one of five categories: discovery, scan, escalation,
DoS, and stealth. Herve Debar  arranged intrusion alerts
to be aggregated into seven situations. Zhichun Li 
constructed the decrease key on the basis of DoS attack, port
scan, virus, worms and botnets. Our work differs to these
researchers in the idea of organized categories. The target-
oriented policy has the rationality in a semantic description
of targets’ state switch.
The signal processing method was used in alert fusion as
demonstrated by Viinikka . The approach detailed in 
constructed alert time series by counting the number of
events occurring in fixed-size sampling intervals. K. Julisch
[17, 18] reported that 99% of the alerts produced by IDSs
could be false positives. Devi Parikh  proposed a pattern
recognition approach to minimize the cost of errors but did
not consider reducing the error rate itself.
Furthermore, there are other fusion methods that used
special frameworks. The fusion method of P2P was used by
Indra  who utilized Pastry and Scribe while Domino 
utilized Chord. Centralized architecture was used in DIDS
, EMERALD  and SOCBox  with alerts collected
directly from IDSs.
A distributed framework method was used by Min Cai
 who introduced a DHT-based overlay network to defend
against flooding. Zhichun Li  used the same method as
Cai, but Li embeded the intrusion symptoms into the DHT
dimensions so that alerts related to the same intrusion could
be routed to the same sensor fusion center with a good load
balance. LarSID  defended against attacks by sharing
potential evidence of intrusions between participant IDSs via
DHT. The work of Ming Xu  was similar to the work of
Zhichun Li, but he differed in the details of the route
mechanism in his approach.
A. Cache-based Mechanism in Datasets
In the analysis of our experiments, we installed the Snort
(version: 188.8.131.52; rules: snortrules-snapshot-2.8) on the
computer and used the ‘replay’ operation to analyze the
Fig. 1. Fusion proportions of each dataset in different ranges.
classic datasets. All the records were replayed through the
Snort, and as a result, the alerts of datasets were stored in the
“c:\ids\snort\log\alert” file. In further analysis, we adopted
the regular expression to divert each part of one alert, and
processed the content in the memory. Put simply, the alerts
were combined if they had the same equivalent sources,
targets and alert types. This was the most basic policy for
fusion. The goal was to test the spatial and temporal
properties of the alerts. We kept a sliding window to
organize the fusion process. Below are the three definitions
for the analysis:
Definition 1 (Fusion Range)
Suppose there are two alerts: alert A and alert B. When
alert fusion is processed linearly, fusion range is defined as
the number of alerts between A and B.
Definition 2 (Fusion Quota)
Suppose there are only X and Y alerts left after the fusion
process. We also suppose R as the number of alerts fused in
range N. The fusion quota in Figure 1 is defined as (1). Its
denominator denotes the total number of alerts which have
Definition 3 (Fusion Proportion)
Table I uses (2). This indicates how many alerts the
fusion in range N has fused.
We calculated the fusion quota from range 1 to range 10.
According to each dataset, the results were presented as Bars
respectively. The values in Figure 2 indicate two facts: a) the
fusion quota occupies the total alert fusion to a share of
more than 90% in range 10; b) we can define a watershed
in range 5, because after that point, the ascending curves
of the fusion quota slope gently. Figure 1 clearly depicts
the tendency of fusion proportions, in correspondence of
) 2 ( ) 1 (
which Table 1 exhibits the statistics of this fusion process. In
“FP-10”, almost all alert fusion proportions reach a value of
more than 80%. These values approach the values in “MFP”.
Note that the MIT DARPA 1999 dataset is an exception, as
its fusion extent reaches just 73% in range 5 and 78% in
range 10. However, the tendency resembles the others. It
could also reflect the similar nature of alerts as well.
These interesting natures remind us of the cache
mechanism in CPU and storing management in operation
systems. Scientists have proven that commands can be
invoked in the nearby storing space, in order to introduce the
cache, which has a higher read/write speed, into the CPU.
The cache stores the nearby commands and applies the LRU
(Least Recently Used) algorithm for refreshing the data.
According to the above discussion, we think the cache
mechanism can also be applied into intrusion alert fusion.
One of our intentions in our experiment was to build a
survivable system. We believe the promotion of fusion
efficiency can be beneficial when too many alerts arrive
suddenly. When related to the cache-based mechanism, the
alerts will primarily search for fusion within the cache range
rather than the whole alerts storage, therefore becoming
more feasible for alert fusion.
B. Analysis in Campus Network
The In our experience, IDSs are generally deployed
inside the network, using a by-pass tunnel right behind the
firewall. The firewall is configured to drop ’ping’ packets.
However, we opened the detection of ‘ping’ packets within
the IDS to monitor those which shouldn’t have appeared
inside the network. During the investigation, we built such
an environment in our campus network and adopted the
‘ping’ packets to bomb the network from inside (we
estimated the attacker found a method to neglect the
RESULTS OF ‘PING’ BOMBING
MSAE (Maximum Speed of Alert Emission) pieces/second
Statistics of alert fusion results
MIT 2000 Treasure
Orange Red Training Scene 1 Scene 2
43632 6404 1223280 102779 1686 119968 4676 1511 7488035
2 days 2 days 2 days 2 weeks 4 hours 2 weeks 3 hours 3 hours 4 hours
92.13% 97.52% 98.31% 98.20% 97.45% 96.17% 93.41% 89.68% 99.99%
3436 159 20707 1845 43 4596 308 156 732
13.91% 30.18% 35.80% 86.18% 69.63% 31.51% 66.85% 71.67% 1.67%
76.78% 92.49% 93.88% 93.59% 91.56% 73.20% 87.25% 84.71% 97.47%
87.52% 95.13% 96.95% 94.98% 95.97% 78.50% 89.56% 85.51% 99.86%
MFP = max fusion proportion (without the consideration of range)
NAF = number of alerts after fusion
FP-Number = fusion proportion-the range number
We used the tool of “IP-Traffic”  to create ‘ping’
packets. TCP/IP sent out ‘ping’ packets using best-of-effort
mechanism. We recorded the duration of alert emission of
Snort. The whole experiment contained eight procedures
with different quantities of packets and durations. The alert
emission speed was calculated by the duration divided the
quantity of alerts. Table II comprises the results of this
analysis. We can see the alert emission speed reached more
than 100 pieces per second. The rule of Snort for the
detection of ‘ping’ was in “snort/rules/icmp-info”. Suppose
in a large-scale environment, an attacker launched ’ping’ and
flooded the whole network where several IDSs existed. The
fusion center then received strengthened alerts flooding, and
as a result the rendezvous point was easily overwhelmed if
no counter-solution was adopted. In this situation, cache-
based mechanism ran pretty well because only a few alerts
was produced by perceiving the repeated ones.
C. Cache-based Mechanism in Australian Honey-pot
We further investigated the alerts from the Australian
honey-Pot where Snort was deployed. The rules used were
from “Oinkmaster” . These rules were a collection of
free rules that we could get from the Snort community.
Firstly, we fused the alerts by the same policy used in our
previous analysis. The alerts were combined if they had the
same equivalent sources, targets and alert types. Subplot A
of Figure 2 shows the results. Unfortunately, only 22.69%
of the alerts could be clustered within range 10. The reason
for this was that the Australian Honey-Pot was designed to
suffer mostly from DoS attacks. The attackers frequently
changed the source IP addresses and ports of the packets,
and as a result, the alerts emitted by Snort contained
different sources. When we adopted the more reasonable
target-oriented policy for the fusion analysis, the results
improved a lot, which was depicted in subplot B of Figure
2. In fact, we were able to gain a better fusion result after a
little calibration on the “Oinkmaster” rules.
We also checked its emission speed of alerts which were
counted for each hour during a 6-month period (one hour
interval was the same with ). As we can see in the subplot
C of Figure 2, on most occasions, alert emissions were
sparse except one situation of value 240. The related alert is :
COMMUNITY WEB-MISC mod_jrun overflow attempt 2009-11-11
20:30:55 184.108.40.206:53546 192.168.1.2:80 TCP
This alert came up when certain web applications occur, but
in general it was just a warning for us to check the system to
see if anything had compromised it. The rule itself could be
“#” out as lots of security experts do; but for us in the
Australian Honey-Pot, we set it. In the experiment, this alert
was produced at six to ten pieces per second. The result was
not good enough to prove the worth of using cache-based
mechanisms, but it showed the promise of using this utility
when deployed in reality.
D. Target-oriented Policy
As we described before, the aim of our project was to
build an inescapable system. To achieve this, we adopted a
state machine to correlate the alerts into scenarios. The best
aspect of this design was the real-time descriptions for the
status of victims, which led to the attackers hardly avoiding
correlation by stealthy attack (i.e. multi-step attack). No
matter when the attackers launch the next stage of an attack,
the state machine records the current status of victims.
This correlation method however, needs the accurate
expression of a current attack. Unfortunately, during the
analysis process, we found the current fusion was
ambiguous. For example, many alerts could be clustered as
scan category due to the same source. Meanwhile, some of
them could also be fused with other alerts for a DoS attack
because they have the same destination. Besides,
sophisticated attackers often adopt an IP-Spoof to avoid
detection. Stealthy attacks like botnet can conceal their real
sources, making the source properties of alerts not reliable at
all. Moreover, current fusion policies simply fuse alerts in
fixed durations. This durations resembling expert knowledge
have an inherent drawback that they are not stable and
different conditions decide different values. Even in the same
scenario, the duration varies from the beginning to the end,
let alone in slow attack. As we can see in subplot A of Figure
2, general policy cannot fuse the alerts efficiently. The
reason was that attackers continuously switched their source
IP when they launched the attack, so that alerts from Honey-
Pot had different sources and could not be fused together.
To facilitate the alerts analysis, we simplified the IDMEF
 (Intrusion Detection Message Exchange Format) to a
structure in Figure 3 and classified fusion cases into 4
categories: Duplicated Category, Scan Category, Co-
operating Category and Sequence Category. The ambiguity
exists in the scan category and co-operating category. We
detail the ambiguity in a scenario: The headquarters
Fig. 3. Alert structure.
45678 9 10
Fusion Quota (%)
45678 9 10
Fusion Quota (%)
Fig. 2. Honey-Pot alerts (A: general fusion policy; B: target-oriented policy; C: alert emission speed).
organizes several attackers to scan an adverse network for
vulnerabilities. The alerts contain the same Alert Type and
Source IP. They can be clustered by a scan category.
Meanwhile, if the scan traffic is heavy, the attack could be
considered a DoS attack. This could be clustered by a co-
operating category because some alerts have the same Alert
Type and Dest IP.
To address these problems, we designed a target-oriented
policy, where alerts were fused when duplicated or the co-
operating category was satisfied, which meant Alert Type
and Dest IP and Port were same. This method could
seamlessly collaborate with the next correlation phase. The
aim of the correlation analysis is to identify multi-step
attacks which present a series of actions. The alerts of each
step denote the current state of the victim. To comply with
the requirement of correlation, the alert fusion should be
circumfused with targets.
information could be concealed, forged, changed, or
unknown, while the victim information cannot. When
victims suffer intensive attack like DoS, the target-oriented
policy helps the fusion to be more efficient. As indicated in
subplot B of Figure 2, the efficiency greatly improved when
we clustered the alerts of the Honey-Pot by target-oriented
policy. We believe the fusion rate be better when the policy
was deployed in other real environments.
Furthermore, the source
ALERT FUSION ARCHITECTURE
According to the analysis above, we proposed CAFS: a
novel cache-based alerts fusion scheme. It is simple but very
effective to be deployed in most occasions. We also applied
target-oriented mechanism as the alerts fusion policy. As is
depicted in Figure 4, this scheme is composed of three
levels: IDSs, preprocessing component and fusion server.
The first level is composed of IDSs. It produces hundreds
of thousands of alerts. As is declared in section II-B, the
fusion quota occupies the total alerts fusion to a share of
more than 90% in range 10. Therefore, for the release of
overhead in the fusion server, we installed one preprocessing
component of fusion after each IDS. The intention of this
had two aspects: standardizing the alerts format and
decreasing the useless alerts quantity. With cache-based
mechanism and target-oriented policy applied, the alerts
from IDSs were pre-fused by the preprocessing component.
Actually, this is easy to be implemented in snort. Snort could
configure the customized output component in the
We implemented the CAFS linearly. Look at Figure 4,
when an alert is received from IDS, it will be inputted to the
Fusion Waiting Queue. Then, this alert compares the first
alert of Fusion Queue. If the comparison satisfies the
duplicated or cooperating category, they are fused under the
target-oriented policy. If the comparison doesn’t satisfy the
categories, the alert searches match of alerts one by one until
the fusion range reaches. Similar to the LRU algorithm in
operation systems, because this alert has an 80% probability
to be fused in the next round, this fused alert will be moved
to the front of the Fusion Queue. We define this as LMHP
(Latest Matching Highest Priority) algorithm.
A. For Survivability
We have implemented all the techniques we discussed in
this paper. In our implementation, we used C++ as the
programming language, and Microsoft SQL Server 2000 as
the database to store the fused alerts.
In CAFS, the alerts emitted from IDSs will be sent firstly
to preprocessing component for pre-fusing. The output is
then processed together in the fusion server for
comprehensive fusion. At last, the fused alerts are stored in
database, waiting for correlation analysis and responses. In
another side, traditional centralized architecture delivers the
alerts to the fusion server directly, which dramatically
aggravates the overhead of centralized server. For
survivability test, we proved its validity through the
comparison of fusion durations between CAFS and
traditional centralized scheme. If the duration was shorter
than traditional centralized scheme, it proved CAFS was
more efficient and survivable.
The fusion durations were recorded in the Table III by
seconds. We found CAFS were better in an extent of 10%
more or less. Even when the quantities of alerts became
more, the decrease percentages of fusion durations became
larger. We believed this was because the fusion server had an
initializing process time, which had been included in the
B. For Inescapability
The second test we performed validated the correctness
of the target-oriented policy. We investigated the original
alerts of the Australian Honey-Pot and further checked each
alert after fusion. The quantity of alerts was 4,787 and after
fusion the quantity of alerts rose to 3,287 when the fusion
range was set to 10. During our observations, we found the
result of fusion was reasonable except on one occasion. The
automatic attack tools have the ability to switch the source
LMHP: Latest Matching Highest Priority
The alerts are fused if either duplicated or cooperated relation is satisfied.
Fig. 4. Scheme of Alerts Fusion.
ports and change the speed of packet emission. The Snort in
the honey-pot emitted a lot of alerts have different source
ports. We calibrated our design and avoided the appearance
of such cases. Table IV shows the results after calibration.
The fusion rate reached more than 90% after range 2, which
is in concert with the classical datasets. This proves the value
of cached-based mechanism from another point of view.
C. For Deployment
We calculated the maximum number of IDSs for
deployment. Take our PCs for example; we recorded the
fusion durations and the quantities of alerts. The speed for
alert fusion was then evaluated to be more or less 40,000
pieces/second. We introduced 103 pieces/second as a round
evaluation. This meant the PC could endure alerts emitted
from 400 IDSs in traditional centralized architecture. With
cache mechanism applied, it could process ten times more,
which was 4000 IDSs. We declared that the evaluation was
based on experiential computation, which did not take other
parameters into consideration.
In this paper, we have presented several interesting
designs in our project of alert fusion and correlation. Our aim
was to implement a survivable, inescapable and deployable
system. With the introduction of a cached-based mechanism
and target-oriented fusion policy, our system attained
significant improvements to achieve our original intention.
Stick: http://www.securityfocus.com/tools/1974 [accessed 1.8.2010]
Snot: http://www.securityfocus.com/tools/1983 [accessed 1.8.2010]
Jouni Viinikka, Herve Debar, Ludovic Me, Anssi Lehikoinen, Mika
Tarvainen, Processing Intrusion Detection Alert Aggregates with
Time Series Modeling, Information Fusion 10, 312-324, 2009.
H.Debar, A.Wespi, Aggregation and Correlation of Intrusion-
Detection Alerts, in: The 4th International Symposium on Recent
Advances in Intrusion Detection, Davis, CA, USA, 2001.
Fiona Carmichiael, A Guide to Game Theory, Prentice Hall, Pearson
Education Limited, first published 2005.
MITDarpa Dataset [accessed 1.8.2010]
Treasure Hunt Dataset http://www.cs.ucsb.edu/~vigna/treasurehunt/
Defcon Dataset http://cctf.shmoo.com/ [accessed 1.8.2010]
P.A. Porras, P.G. Neumann, EMERALD: Event Monitoring Enabling
Responses to Anomalous Live Disturbances, in: Proceedings of the
20th National Information Systems Security Conference, 1997.
 Federico Maggi, Matteo Matteucci, Stefano Zanero, Reducing False
Positives in Anomaly Detectors Through Fuzzy Alert Aggregation,
Information Fusion 10, 300-311, 2009.
 Ciza Thomas and N. Balakrishnan, Improvement in Intrusion
Detection With Advances in Sensor Fusion, IEEE Transactions on
Information Forensics and Security, Vol. 4. No. 3, 2009.
 A. Valdes, K. Skinner, Probabilistic Alert Correlation, in: RAID’00:
Proceedings of the Fourth International Symposium on Recent
Advances in Intrusion Detection, Springer-Verlag, London, 2001.
 Guofei Gu, Alvaro A. Cardenas, Wenke Lee, Principled Reasoning
and Practical Applications of Alert Fusion in Intrusion Detection
Systems, in: Proceedings of ACM Symposium on information,
Computer and Communications Security, Tokyo, Japan, 2008.
 Oliver Dain?Robert K. Cunningham, Fusing a Heterogeneous Alert
Stream into Scenarios, in: Proceeding of the ACM Workshop on Data
Mining for Security, Rennes, France, 2001.
 Zhichun Li, Yan Chen and Aaron Beach, Towards Scalable and
Robust Distributed Intrusion Alert Fusion with Good Load Balancing,
in: Proceedings of ACM SIGCOMM Workshop on Large-Scale
Attack Defense, Pisa, Italy, 2006.
 Jouni Viinikka, Herve Debar, Time Series Modeling for IDS Alert
Management, in: Proceedings of ACM Symposium on information,
Computer and Communications Security, Taipei, Taiwan, 2006.
 K.Julisch, Mining Alarm Clusters to Improve Alarm Handling
Efficiency, in: Proceeding of 17th Annual Computer Security
Applications Conference, New Orleans, Louisiana, 2001.
 K.Julisch, Clustering Intrusion Detection Alarms to Support Root
Cause Analysis, ACM Transaction on Information and System
Security, vol. 2, No. 3, pages 111-138, 2002.
 Devi Parikh, Tsuhan Chen, Data Fusion and Cost Minimization for
Intrusion Detection, in: IEEE Transactions on Information Forensics
and Security, Vol 3, pp.381-389, 2008.
 Janakiraman, Marcel Waldvogel, Qi Zhang, Indra: A peer-to-peer
approach to network intrusion detection and prevention, in: IEEE
WETICE Workshop on Enterprise Security, Linz, Austria, 2003.
 Vinod Yegneswaran et..al Global intrusion detection in DOMINO
overlay system, in: Proceedings of NDSS, San Diego, USA, 2004.
 Snapp.S.R., Smaha S.E., Grance T., Teal D.M., DIDS (Distributed
Intrusion Detection System) – motivation, architecture and an early
prototype, in: Proceedings of the 14th National Computer Security
Conference, Washington, DC, 1991.
 Min Cai, Kai Hwang, Collaborative Internet Worm Containment, in:
IEEE Security and Privacy Magazine, Vol 3, Issue 5, pp.25-33, 2005.
 Zhou C.V., Karunasekera S., Leckie C., Evaluation of a Decentralized
Architecture for Large Scale Collaborative Intrusion Detection, in:
IEEE International Symposium on Integrated Network Management,
Munich, Germany, 2007.
 Ming Xu, Chaochi Lin, Chen Qin, A Multiple Keyword Fusion
Scheme for P2P IDS Alert, in: Proceedings of 1st International
Conference on Intelligent Networks and Intelligent Systems, 2008.
 IP-Traffic [accessed 1.8.2010]
 Oinkmaster: http://oinkmaster.sourceforge.net/ [accessed 1.8.2010]
 RFC 4765: The Intrusion Detection Message Exchange Format
COMPARISON OF FUSION DURATIONS (SECOND)
Defcon 8MIT 98 Test part
813.116 707.056 68.808
822.926 713.374 69.009
817.045 705.166 68.782
Defcon 10 Orange
MIT 99 Test part
Gray Area: traditional centralized fusion scheme.
White Area: CAFS.
NOA: number of alerts.
Rate: the decrease percentage of fusion durations.
CALIBRATION OF ALERT FUSION ON THE AUSTRALIAN HONEY-POT
2 3 4
90.39% 92.97% 93.69%
1 5 6 7 8 9 10
75.73% 94.22% 94.49% 94.73% 94.75% 95.00% 95.00%