• Lydia Bouzar
    • PhD defended on :
    • Jun 28, 2015

    In this thesis, we propose a model for alert correlation process using a new preference logic, called IFO-QCL (for Instanciated First Order Qualitative Choice Logic). The proposed alert correlation process has as inputs a set of alerts, generated by intrusion detectin systems (IDS), and a set of knowledge and preferences of a security operator, encoded using IFO-QCL logic. As output, a set of preferred a relevant alerts are produced.In practise, IDS alerts may not provide information about attributes expressed by the security operator in his knowledge and preferences. In order to classify such kind of alerts, two dual methods have been proposed. The first one consists in the completion of the so-called partial alerts and the second one reduces knowledge/preferences formulas, in order to only focus on attributes that are present in the alerts.We proposed a polynomial algorithm that assigns a satisfaction degree, according to the IFO-QCL logic, to alerts and select a set of preferred ones.Experimental studies were carried out using real alerts show the merits of our model.