Network intrusion alert correlation challenges and techniques

Many organizations implement Intrusion Detection Systems (IDS) as the first line of defense for their security systems. Up to now, the researchers have developed IDS in many computer environments. Having detected the signs of intrusions, IDS trigger alerts to report them. These alerts are presented to human analyst to be evaluated and initiates adequate responses. But, manually analyzing those alerts are tedious, time-consuming and error-prone. The reasons for this: the number of alerts is enormous, and (2) most of them are false alerts. A promising method to automate the alert analysis is finding the correlation between alerts, and such system is known as Alert Correlation System (ACS). One of the major applications of alert correlation (AC) is attack diagnosis. Interestingly, researchers have different kind of views to define the concept of AC. Furthermore, a various types of techniques have been proposed in AC: to reduce the false alerts, and (2) to find causality relationship between alerts to extract the strategies of attacker. This paper discussed the challenges of ACS and the most importantly presents a review of techniques and solutions proposed in the course of the last ten years, while comparing their advantages and limitations. The survey is followed by the presentation of potential future research directions in this area.