Alert Correlation Algorithms: A Survey and Taxonomy
This survey addresses the need for effective alert correlation in enterprise networks to enhance cybersecurity, but it is incremental as it reviews existing methods without introducing new algorithms.
The paper presents a comprehensive survey and taxonomy of alert correlation algorithms used in intrusion detection systems to reduce false alerts, detect attack patterns, and improve incident analysis, concluding that an ideal framework should combine strengths from different algorithm categories.
Alert correlation is a system which receives alerts from heterogeneous Intrusion Detection Systems and reduces false alerts, detects high level patterns of attacks, increases the meaning of occurred incidents, predicts the future states of attacks, and detects root cause of attacks. To reach these goals, many algorithms have been introduced in the world with many advantages and disadvantages. In this paper, we are trying to present a comprehensive survey on already proposed alert correlation algorithms. The approach of this survey is mainly focused on algorithms in correlation engines which can work in enterprise and practical networks. Having this aim in mind, many features related to accuracy, functionality, and computation power are introduced and all algorithm categories are assessed with these features. The result of this survey shows that each category of algorithms has its own strengths and an ideal correlation frameworks should be carried the strength feature of each category.