ISSN: 1985-3157 Vol. 2 No. 2 July-December 2008 65 ALERT CORRELATION TECHNIQUE ANALYSIS FOR DIVERSE LOG Robiah, Y. 2 , Rahayu, S.S. 2 , Shahrin, S. 1 , Faizal, M.A. 2 1 Professor Dr. 2 Fakulti Teknologi Maklumat & Komunikasi Universiti Teknikal Malaysia Melaka Locked Bag 1200, Ayer Keroh Hang Tuah Jaya, 75450, Melaka, Malaysia Corresponding author’s e-mail: robiah@utem.edu.my, ABSTRACT: Alert correlation is a process that analyses the alerts produced by one or more diverse devices and provides a more succinct and high-level view of occurring or attempted intrusions. The objective of this study is to analyse the current alert correlation technique and identify the signiicant criteria in each technique that can improve the Intrusion Detection System (IDS) problem such as prone to alert looding, contextual problem, false alert and scalability. The existing alert correlation techniques had been reviewed and analysed. From the analysis, six capability criteria have been identiied to improve the current alert correlation techniques which are capability to do alert reduction, alert clustering, identify multi-step attack, reduce false alert, detect known attack and detect unknown attack and technique’s combination is proposed. Keyword: IDS, Alert correlation, diverse devices log, capability criteria 1.0 Introduction Computer security offers three types of security mechanism to protect a system which are authentication, authorisation and auditing for securing the systems against attack. In order to provide extra layers of defence in case of these mechanisms are laws, IDS have been proposed. Intrusion detection technology has gained increasing acceptance in enterprise networks, with both commercially supported and open source components widely deployed (Anderson, Fong, & Valdes, 2002). However, it has few weaknesses such as prone to alert looding, contextual problem due to attacks are likely to generate multiple related alert, false alert and scalability (Debar & Wespi, 2001) and correlation is proposed to overcome these weaknesses. Devices and sensor diversity has resulted in a new dificulty in generating reports due to the unmanageable amount of alert. Referring to Figure 1, in view of domain perspective various log resources can be gained from host; network, application, sensor and wireless. It can be argued that diverse intrusion detection sensor and diverse devices log resources provide more