10.5. Conclusion

This chapter has described a vulnerability-centric alert correlation method for defending against multistep intrusions in networks. We have described methods that can be used in less-than-ideal situations where not all vulnerabilities can be easily removed through network hardening, and multistep intrusions must be defended in real time. We identified a key limitation in applying the nested loop–based correlation methods and described a novel queue graph approach to remove this limitation. The method has a linear time complexity and a quadratic memory requirement and can correlate alerts arbitrarily far away in time. The correlation method was then extended to a unified approach to the hypothesis, prediction, and aggregation of intrusion alerts. Empirical results showed that the correlation engine can process alerts faster than IDS can report them, making the method a promising solution for administrators to monitor the progress of intrusions.