Preprocessor of Intrusion Alerts Correlation Based on Ontology

Intrusion detection systems (IDS) often provide a large number and poor quality alerts, which are insufficient to support rapid identification of ongoing attacks or predict an intruder's next likely goal. Several alert correlation techniques have been proposed to facilitate the analysis of intrusion alerts. However, many works directly upon the alerts, they do not distinguish between alerts and intruders' attack actions. In addition, many works are not grounded on any standard taxonomy, their associated classification schemes are ad hoc and localized. This paper focus on reducing alerts to attack actions with IDMEF and CVE standards in the preprocessor of our intrusion alerts correlation system which is based on ontology. At first, we introduce our intrusion alerts correlation system. Then we present each modules of the preprocessor, the, v are local preprocessor, IDMEF parser, alert to attack module and attack to ontology module.