Heterogeneous Sensor Correlation: A Case Study of Live Traffic Analysis

As enterprises deploy multiple intrusion detection sensors at key points in their networks, the issue of correlating messages from these sensors becomes increasingly important. A correlation capability reduces alert volume, and potentially improves detection performance through sensor reinforcement or complementarity. Correlation is especially advantageous when heterogeneous sensors are employed because of the potential to aggregate different views of the same incident. Emerging standards for sensor interoperability with respect to alert reporting facilitate the function of correlation engines, but these standards are still at an early stage of development. Furthermore, it is apparent that these standards will not enforce uniformity in, for example, attack description, complicating the task of correlation. The immature state of standards and nonuniformity of reporting both argue for correlation technologies that are robust, flexible, and function with comparatively few underlying assumptions. Herein, we present a case study of correlating several sensors listening to live traffic using a probabilistic correlation approach.