查看文章

Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operations centers. They gather events from multiple sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views of the alerts for threat handling and security reporting. However, as the number of security incidents, and thus the diversity of alerts received by SIEMs increases, the need for appropriate treatment of these alerts has become essential. Alert correlation has been proposed in order to alleviate this problem. Current alert correlation techniques provide a better description of the detected incident and a concise view of the generated alerts, reducing their volume and thus their processing time. Although such techniques support administrators in processing a huge number of alerts, they remain limited, since these solutions do not provide …