摘要 |
A method and architecture for on-line classification-based intrusion alert correlation are provided. This method applies layered architecture to split and correlate alerts. An alert-splitting technique is used to separate mostly general alerts from more valuable or complicated alerts. Only more important alerts are selected to correlate with known attack scenarios to discover important attack information. Therefore, the disadvantages in the prior art where correlation is shielded and over-consumption of computation resource are solved.
|