Alerts Correlation by attention mechanisms

Abstract

From the inception of intrusion detection systems to the present day, all IDSs have continuously generated generate large numbers of alerts, many of which are false positives. This leads to an overwhelming amount of data for security analysts, leading to missed detections or delayed detections of real threats. Our solution is an alert correlation framework with an attention mechanism that will produce lower false positives. Through this process, the model learns dependencies and contextual relationships between features of alerts, indicating that the model can better distinguish between malicious and benign traffic. Unlike the previous approaches, our approach does not rely on prior knowledge of specific attacks or predefined normal behavior, making it robust and adaptable to unknown or evolving threats. By modeling feature relationships contextually, the proposed method enhances detection accuracy while significantly reducing the number of false positives