International Journal of Innovative Computing, Information and Control ICIC International c 2013 ISSN 1349-4198 Volume 9, Number 1, January 2013 pp. 231–255 AN AIS-INSPIRED ARCHITECTURE FOR ALERT CORRELATION Mehdi Bateni 1 , Ahmad Baraani 1 , Ali Ghorbani 2 and Abbas Rezaei 3 1 Department of Computer Engineering University of Isfahan HezarJerib Street, Isfahan, Iran { bateni; ahmadb }@eng.ui.ac.ir 2 Faculty of Computer Science University of New Brunswick 550 Windsor Street, Fredericton, New Brunswick, Canada ghorbani@unb.ca 3 Department of Immunology Isfahan University of Medical Sciences HezarJerib Street, Isfahan, Iran rezaei@mui.ac.ir Received October 2011; revised February 2012 Abstract. There are many different approaches to alert correlation such as using corre- lation rules and prerequisite-consequences, using machine learning and statistical methods and using similarity measures. In this paper, iCorrelator, a new AIS-inspired architec- ture, is presented. It uses a three-layer architecture that is inspired by three types of responses in the human immune system: the innate immune system’s response, the adap- tive immune system’s primary response, and the adaptive immune system’s secondary response. In comparison with other correlators, iCorrelator does not need information about different attacks and their possible relations in order to discover an attack scenario. It uses a very limited number of general rules that are not related to any specific attack scenario. A process of incremental learning is used to encounter new attacks. Therefore, iCorrelator is easy to set up and work dynamically without reconfiguration. As a result of using memory cells and improved alert selection policy, the computational cost of iCorre- lator is also acceptable even for online correlation. iCorrelator is evaluated by using the DARPA 2000 dataset and a netForensics honeynet data. The completeness, soundness, false correlation rate and execution time are reported. Results show that iCorrelator is able to extract the attack graphs with acceptable accuracy that is comparable to the best known solutions. Keywords: Intrusion detection system (IDS), Alert correlation, Artificial immune sys- tem (AIS) 1. Introduction. Intrusion Detection System (IDS) is a rapidly growing field. It is the process of identifying and (possibly) responding to malicious activities targeted at com- puting and network resources [1]. When an IDS detects a malicious activity, it generates an alert. Alerts are usually in low-level format. It means that each alert contains a little information about the malicious activity that is almost useless for the administrator. On the other hand, an IDS in a large network of computers with many different users generates high volumes of low-level alerts. These raw alerts overwhelm the system administrator in such a way that she/he cannot use them effectively. As a result, the administrator may ignore these alerts and miss their possible related intrusions. Alert correlation is used to overcome this problem. It is a process that analyzes the alerts produced by one or more 231