Adaptive Alert Aggregation in Intrusion Detection Alert Management & Intrusion Response System

The architecture and functions of Intrusion Detection Alert Management Intrusion Response System (IDAMIRS) are briefly introduced in this paper. The problems caused by repetitive IDS alerts are presented. Based on a detail discussion of alert aggregation, the paper proposes an adaptive alert aggregation approach. The approach can effectively aggregate repetitive alerts, and meanwhile adjust stay times of aggregated alerts in the buffer area automatically according to corresponding alert types. The problems caused by repetitive alerts, such as network traffic jam etc., are solved and a balance between alert amount and alert type is achieved in the proposed model. In addition, the alert aggregation approach provides a strong support for the further alert processing in IDAMIRS and balances the speed and security of a network system.