Alert correlation: Review of the state of the art

The purpose of this document is to offer a review of the state of the art concerning the emerging field of so-called «alert correlation». Despite the fact that several recent publications seem to present this domain as a new one, we will show the close connections that exist with another well established one, namely network management and its event correlation approaches. We try to highlight the core notions embedded within the term “correlation” thanks to the definition of several building blocks used to design “correlation engines”. We focus on the techniques used within the intrusion detection domain and present a survey not only of papers published in that field but also of currently available tools. We show the gap that exists, as of today, between sophisticated techniques presented in research papers and actual implementations that are readily available.