The paper I co-wrote with Pierre is now available:

Abstract. This paper describes how correlation can be used to reduce false positives, discover new attacks and fight the evasion of intrusion detection systems. Events from different sources, network-based, host-based and others, are used to increase the accuracy of alerts and attacks understanding. A complete solution based on the Prelude IDS framework and the Intrusion Detection Message Exchange Format (IDMEF) standard is proposed, using Voice over IP (VoIP) as an example. Taking advantage of existing products in a hierarchical manner renders more efficient the extraction of relevant security issues. We also propose an algorithm to use correlation results to lower the amount of work needed on sensors, to concentrate on higher-level attack detection.

Key words: IDS, Hybrid IDS, IDMEF, Prelude, Correlation, Management, Assessment, Visualization