Multi-Level Alert Clustering for Intrusion Detection Sensor Data*

Ambareen Siraj
Department of Computer Science and Engineering Mississippi State University Msstate, MS 39759 ambareen@cse.msstate.edu
Abstract - Alert fusion is a promising research area in information assurance today. To increase trustworthiness in systems, most modern information systems deployed in distributed environments employ multiple, diverse sensors that monitor security violations throughout the network. The outputs of the sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of such systems. A unified architecture for intelligent alert fusion will essentially combine alert prioritization, alert clustering and alert correlation. In this paper, we address the alert clustering aspect of sensor data fusion in an intrusion detection environment. A causal knowledge based inference technique with fuzzy cognitive modeling is used to cluster alerts by discovering structural relationships in sensor data.

Rayford B. Vaughn
Department of Computer Science and Engineering Mississippi State University Msstate, MS 39759 vaughn@cse.msstate.edu This research concentrates on the use of a possibilistic approach in alert fusion with Fuzzy Cognitive Modeling in order to provide a general surveillance capability for dedicated systems. A unified architecture for intelligent alert fusion essentially combines alert prioritization, alert clustering and alert correlation. For alert clustering, a multi-level clustering method is used to accommodate inexact matching. Alert correlation with abstract modeling deals with correlating alerts generated as a result of coordinated attacks [13]. Also, a multitier sensor fusion method is used for complementary sensor corroboration, which is particularly suitable in the high performance cluster environment. In this paper, the alert clustering aspect of sensor data fusion in distributed environment is addressed. A causal knowledge based inference technique with fuzzy cognitive modeling is used to cluster alerts by discovering feature similarities in sensor data. The following sections will briefly outline some related research, provide necessary background information for this research, describe the technique used in multi-level alert clustering, report on some preliminary results on a benchmark dataset and lastly conclude. II. RELATED WORK Research in the area of alert clustering emerged in the last few years and primarily concerns information modeling and high level reasoning. Among them, the ones that are relevant to our work are the following. One of the early research efforts in this area was led by Debar and Wespi [4]. In this work the authors introduced the concept of Aggregation and Correlation Component (ACC), which analyze and correlate alerts generated by IDSs using an expert rule-based system. ACCs look for aggregation relationships between alerts by grouping together alerts based on common characteristics. With three aggregation axes, seven different situations can be aggregated. In the French Defense Agencys MIRADOR project [2], one of the functions of a co-operation module between multiple IDSs is alert clustering. The co-operation module is an expert rulebased system that supports logical reasoning with predicate logic. In this system, alert clustering refers to finding similarity of new alerts to existing alerts in a knowledge

I. INTRODUCTION Information assurance is viewed as the perception that systems are operating as required - with expected protection of the availability, confidentiality and integrity of information within the systems. In order to maintain trust in systems, mechanisms are deployed that monitor any violation of such perception. Intrusion detection systems (IDS)s have been extensively used by researchers and practitioners to maintain trustworthiness in systems. An IDS closely monitors systems and their networks for any sign of probable security violations and then reports alerts to an appropriate authority. Additionally, defense-in-depth strategies suggest that multiple IDSs/sensors should exist in a protected system all reporting on the security health of the system and/or network. Research in IDS improvement has taken on new challenges in the past few years. One such contemporary and promising approach in this area is alert fusion in a multisensor environment. Increased demands for more trustworthy systems and the fact that a single sensor cannot detect all types of misuse/anomalies have prompted most modern information systems to employ multiple, diverse sensors. Intelligent sensor fusion of runtime behavior data is critical for such systems to obtain a holistic notion of a complex systems runtime status. Therefore, the outputs of sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of a distributed system.

This work is supported by NSF Cyber Trust Program Grant No: SCI0430354, NSA IASP Grant No: H98230-04-1-0205, and Office of Naval Research Grant number N00014-01-1-0678.

0-7803-9187-X/05/$20.00 2005 IEEE.

repository. Alert similarity is determined by the similarity requirements specified by expert rules which are domain specific and defined by examination of prior alerts generated by the IDSs. Probabilistic alert correlation finds similarity between alerts that match closely, if not exactly [15]. In this clustering approach, a repository of meta-alerts constructed using expert knowledge and prior alerts from heterogeneous sensors, is maintained for similarity matching with alerts reported. The clustering scheme uses similarity functions to measure the closeness of each feature pair. Construction of similarity functions to measure feature similarity is based on combination of expert rule-base and Bayes formalism. Dain and Cunningham [3] use an alert clustering scheme that fuses alerts into scenarios using a probabilistic in nature algorithm. In this system, scenarios are developed as they occur, i.e., whenever a new alert is received it is compared with current existing scenarios and then assigned to the scenario that yields the highest probability score depending on factors such as strength of link, time and source. For alert comparison, the authors use a Bigram model, where the new alert is compared with the most recent alert in a scenario. Julisch introduces attribute generalization in alarm (i.e., alert) clustering as a method to support root cause discovery [6]. The root cause of an alarm is defined as the reason for which it occurs. This work outlines a semi-automatic approach for reducing false positives in alarms by identifying the root causes with clustering of alerts by abstraction and then eliminating the root causes to reduce alarm overload. III. BACKGROUND Alert fusion, alert aggregation, alert clustering, alert correlation - all serve same primary purpose of providing some form of high level analysis and reasoning capabilities beyond low level sensor abilities. We refer to alert fusion as the process of interpretation, combination and analysis of alerts to determine and provide a quantitative value for a system such that the value is representative of the degree of concern in the system. Often alerts may not seem significant when they are isolated, but when association(s) can be discovered to link them together, their significance may intensify. In general, associations can be of two types: structural (based on constituents of alerts) and causal (based on cause and effects of alerts). Therefore, in order to discover both types of alert associations, alert fusion is conducted for: 1. Alert Clustering: To find structural relationships in data by grouping/aggregating alerts with common features. Alert clustering can aid in alert reduction and discovery of common attack patterns. 2. Alert Correlation: To find causal relationships in data by associating alerts, which are parts of linked chains of events. Alert correlation can help to identify multi-staged attacks and to reduce alert volume [13]. Alert clustering involves grouping or merging together similar alerts such that common generic attacks on systems can be discovered. In exact approaches, common feature values between two alerts are compared for a perfect match in

order to consider them identical alerts. Alerts are considered to belong to the same cluster/group if they have common attribute values for different features like source, target, time, attack, service, and user. But often in real situations, the notion of similarity is not clear-cut but involves a certain degree of likelihood. We address alert clustering based not only on exact matches of attribute values but also on close or inexact matches of attribute values by incorporating the approximate nature of fuzzy logic for defining similarity between alerts. Soft computing differs from hard computing by accommodating tolerance for impreciseness, uncertainty and partial truth. Fuzzy Cognitive Maps (FCMs), which originated from the synergism of fuzzy logic and neural networks, is such an efficient soft computing tool [14]. Professor Bart Kosko of the University of Southern California extended the cognitive maps (signed digraphs of nodes and edges) to fuzzy cognitive maps by considering the fuzzy aspects of causality and by accommodating the knowledgebase building property [7]. FCMs model the world as concepts and causal relations between concepts in a structured collection [7, 8, 9]. Concepts (nodes) in an FCM are events that originate in the system and whose values can change over time. The causality links between concepts are represented by directed edges that denote how much one concept impacts the other(s). The concepts in the FCMs can be crisp sets or fuzzy sets defined by fuzzy membership functions [9]. Concepts typically take values in the interval [0,1]. In the simplest case, a concept is either on (1) or off (0). A concept can also be represented by a fuzzy set and can fire to some degree. The edges typically have values between 0 and 1 or 1 and 1. Edges can also be fuzzy, and in those cases we can use linguistic words such as, a little, very, somewhat, to represent the edges. When the edges between concepts are fuzzy values, fuzzy set operators like T-norms and T-conorms can be applied to the particular chain of concepts to infer the total effects of concepts in the chain [7].
Ci CJ

e ij

Fig. 1 Two FCM Concepts and a Connecting Edge Representing a Causal Link

Fig. 1 shows two FCM concepts Ci and Cj connected by edge eij. The edge eij can be used to define rules or causal flow between the concept nodes Ci and Cj [7]. An edge value of eij=0 indicates that there is no cause-effect relation between the concepts Ci and Cj. A value eij>0 denotes positive causality, i.e., whenever concept Ci increases, Cj increases by the degree eij. Conversely, eij<0 denotes negative causality, i.e., whenever concept Ci increases, there is a decrease in Cj by the degree eij. Therefore, a higher absolute value for eij indicates greater effect of the cause and a lower value indicates lesser effect of the cause. FCMs support adaptive

Fig. 3 Alert Type Generalization Hierarchy

behavior and provide a graphical representation of knowledge that can be used for explanation of reasoning [14]. Researchers have used FCMs for many tasks in several different domains. Use of FCMs was first reported in [12] for fusing alert information in a multi-sensor intrusion detection environment to assess network health. Fuzzy Intrusion Recognition Engine, a network based IDS, also use FCMs in detecting attacks from features extracted from network traffic [16]. The work that we present in this paper differs from our previous work [12] primarily in the focus of the research, which is discovery of structural relationships between alerts accommodating inexact matching in feature attributes. III. MULTI-LEVEL ALERT CLUSTERING Our approach uses multi-level alert clustering, where alert features are clustered at different levels of abstraction or resolution such that different degrees of deviations in commonality are tolerated. In this way, along with identical clusters of the same alerts, clusters of similar alerts can also be found. The fusion model applies a combination of an attribute oriented generalization technique and a possibillistic approach with fuzzy cognitive modeling to perform such multi-level alert clustering. The principal objective of the intelligent alert fusion model is to provide an overall condensed view of the distributed system by assessing the health of the primary resources in the network (essentially the computing nodes/hosts in the network). Therefore, the fusion model is resource-centric, i.e., analysis is centered upon the resources in the system in terms of the communication involving them. A resource centric view inherently reduces alert volume by: 1. presenting an overall picture of the compromised resources to the security administrator instead of the large volume of all alerts issued; 2. not having to take account of information that is out of the scope of the resource perimeter. For a cluster environment, where performance heavily depends on system resources, such a view only seems natural. In resource-centric alert clustering, the objective is to seek out suspicious clusters activated for each resource in the network and measure degree of associations of the resources with all generated alert clusters. Clusters of the same/similar alerts are created by grouping alerts with the same/similar

features. Clustering on source attributes helps to associate alerts originating from the same/similar sources, clustering on time attributes helps to associate alerts that occur in short/close intervals, and clustering on attack names helps to associate alerts that are of the same/similar nature. Since these primary candidate features for alert clustering are all categorical, the clustering problem becomes difficult and challenging. In this respect, researchers have used taxonomies or generalization hierarchies of attributes to find clusters of alarms/alerts [6]. In traditional alert clustering, identical alerts are clustered that correspond to an exact match of feature values. In multilevel alert clustering, in addition to exact matching of features values, the fusion model also generalizes the feature values to extend the cluster parameter in order to consider more of the related alerts (fig. 2).

AsourceIP1 SAM AS AsourceIP2 E AtargetIP1=targetIP2 AalertSignature1 SAM AS AalertSignature2 E Atime1 SAM AS Atime2 E

AsourceIP1 SIM ILARTOAsourceIP2 AalertSignature1 SIM ILARTOAalertSignature2 Atime1 SIM ILARTOAtime2

Fig. 2 Extending Cluster Perimeter to include Similar Alerts

The fusion model considers similarity notion in terms of category/class/type matching at different levels of abstraction using generalization hierarchy of feature attributes. A generalization hierarchy represents a hierarchy formed by the generalization relationships of a set of attributes. Fig. 3 shows a generalization hierarchy for attack names. Using such generalization hierarchy, specific attack names can be generalized to categories of attacks at different abstraction levels and such abstraction enables the fusion model to find similarity between two attacks with different attack names. For example, at level 4 (most specific) of the generalization hierarchy, two attacks ffbconfig and fdformat may seem different but both of them can be generalized to the Privilege Violation category at level 3 and therefore can be considered similar at that level. Again for two seemingly
Attacks associated with root-owned ffbconfig and fdformat utility programs to gain root privilege.

different attacks dictionary and ffbconfig, the fusion model can find similarity between them at level 2, as both can be generalized to the Access Control Violation category. Clearly, alerts found to match at level 3 should be considered more similar than those that match at level 2. To capture this notion of similarity being directly associated with the level of abstraction hierarchy, the fusion model uses distance between abstraction levels to compute the feature similarity. In this respect, the fusion model uses abstraction lattices for alert features with distance scores as shown in fig. 4. Here the most specific level (with no generalization) is level 4 and the least specific level (with highest order of generalization) is level 1. Such an abstract lattice enables the fusion model to consider feature similarity at different levels of abstraction.
Levels of Abstraction General 1 2 3 Specific 4 IP Address Type Network Subnet Host Attack Type Sub-type Time Interval Within Period Within Hours Within Minutes Seconds

Sub-sub-type Name

Fig. 4 Abstraction Lattice for Alert Features

To illustrate, suppose two alerts have the same IP address, which will yield an exact match and a similarity score of 4 for the source feature. But, suppose two alerts are from different sources and hence do not have the same IP address. In that case, the fusion model generalizes them at different abstraction levels to see if any match can be found at the higher levels of abstraction. Suppose the two alerts are found to be generated from sources at the same subnet, then the source feature similarity would have a score of 3. If they matched at only type level (e.g., sources with same class A type address), then the similarity score given would be 1. Using such distance score for similarity measurement enables the fusion model to give higher similarity scores to matches at more specific levels and lower similarity scores to matches at more generalized levels, i.e., higher score designate more similar alert features and vice versa. For each resource in the network, the fusion model generates different types of similar alert clusters according to different combinations of attribute generalization (Table I).
TABLE I MULTI-LEVEL CLUSTERS
C lu s te r s
S im ila r_ S o u r c e_ S im ila r_ A tta ck _ S im ila r _ T im e , C 1 S im ila r_ S o u r c e_ S a m e _ T im e _ S im ila r_ A tta ck , C 2 1 S a m e _ S o u r c e_ S im ila r _ A tta c k _ S im ila r_ T im e , C 2 2 S im ila r_ S o u r c e_ S a m e _ A tta c k _ S im ila r_ T im e , , C 2 3 S im ila r_ S o u r c e_ S a m e _ A tta c k _ S a m e _ T im e , C 3 1 S a m e _ S o u r c e_ S a m e _ T im e _ S im ila r_ A tta ck , C 3 2 S a m e _ S o u r c e_ S a m e _ A tta c k _ S im ila r_ T im e , C 3 3 S a m e _ S o u r c e_ S a m e _ A tta c k _ S a m e _ T im e , C 4

In the columns under source, attack and time, S denotes specific or exact matching, G denotes matching with generalization. When an alert generated for a particular resource (target) becomes a candidate for a cluster, the score it contributes to the support of the cluster is computed by combining the similarity scores for all features. The Max column in Table I represents the maximum score an alert can contribute in this respect and the Min column represents the minimum score. Intuitively the scores denote the degree to which an alert belongs to a specific alert cluster or group. To illustrate, suppose X is an alert that is a candidate of the cluster Similar_Source_Same_Attack_Same_Time. For this particular cluster to activate, the attack and time attributes have to be same and as deviations are only tolerated for the attribute source only it can be generalized. The similarity score will be 4 (distance score of most specific level) for each of attack and time attributes (4+4=8 for both) and the similarity score will vary from 1 to 3 - from least to more specific (it wont be 4 as it is not same/exact) for the source attribute. Therefore, for this particular cluster, an alert can contribute candidacy scores in the range of 9 (8+1=Max. Value) to 11 (8+3=Min. Value) (7th row from the top in Table I). Depending on the abstraction level used in similarity matching, an alerts candidacy score can vary on a scale between 3 to 12 for the clusters in Table I. The fusion model fuzzifies the crisp score by mapping it to a fuzzy variable with a normalized range of 0 to 1. Fig. 5 shows the complete term set of the fuzzy variable candidacy score, superimposed on the score distribution data for the clusters in Table I.
M e m be rship
1.0

Lo w C1 C 21 C C
22

M ed iu m

High

23

C 31 C C
0 2 4 6 8 10
32

33

12

Fig. 5 Fuzzy Candidacy Score for Alerts

S o urce
G G S G G S S S

A tta c k
G S G S S G S S

T im e
G G G G S S G S

M in S core
3

M ax S co re
9

6 6 6

10 10 10

9 9 9
N /A

11 11 11
12

The cluster in the last row of Table I employs exact reasoning and does not allow any deviations or generalization.

Attack to crack password to gain user access.

It should be made clear that the fusion model only considers an alert to be a member of one and only one cluster. Although the cluster definition allows one alert to be a member of several clusters, for simplification purposes, the fusion model does not allow such overlapping and consider an alerts candidacy for the most specific cluster found. Being a resource centric model, the fusion model seeks out suspicious clusters activated for each resource in the system. Different types of alert clusters are generated according to different combinations of the features and feature similarities. The strength of a particular alert cluster depends on the closeness of all contributing alerts in generating the cluster. The strength of a cluster activated for a particular resource is computed as an average of the fuzzy candidacy scores of all the contributing alerts. I.e., for each alert, Ai that contributes to a cluster Cj, the cluster strength of Cj, i.e., S(Cj) is denoted by:

S (C j ) =

Fuzzy candidacy score F of A

i i

Count of A i

In order to compute the individual cluster strengths and also to fuse the overall impact of the activated clusters on each resource, the resemblance between FCMs and neural networks is utilized [1]. In the neural network approach, the concepts of the FCM are represented by neurons and the edges are represented by the weights of the connecting neurons. The cluster concepts in the FCMs, treated as neurons, triggers activation of the alert levels with different weights depicting impact between them. An adjacency matrix is used to list these cause and effect relationships between the FCM concepts. In an FCM, the runtime operation is observed by determining the value of the effect/output concept from the cause/input concepts and the connecting edge values.
C4 C31 C32
+ I3

C33

C21
+ I2

C22

C23
+ I1

C1

+ I4

Cluster Association Strength

Fig. 6 Combining Evidence of Cluster Generation

The evidences of different clusters generated for a particular resource is fused to compute their collective effect by considering their impacts. The overall effect of suspicious clusters activated for a particular resource is denoted by the resources cluster association strength (CAS). At any time, CAS for any particular resource will collectively represent the effects of all the suspicious clusters activated for that resource at that time. The FCM in fig. 6 denotes how the different clusters generated affect the overall cluster association strength of a resource. The impact levels are different depending on the nature of the cluster. More specific clusters cause more impact on the resource than less specific ones according to which abstraction level was used for generalization. Therefore, it will always be that I4>I3>I2>I1. The impact values are determined by using the maximum fuzzy candidacy score for each cluster. The CAS of a resource Ri at tn+1 time for each contributing cluster Ck with impact Iki, can be represented as the following:
CAS ( R i )( t n + 1 ) =

experiments were conducted with MIT Lincolns Labs DARPA 2000 Intrusion Detection Evaluation (IDEVAL) Scenario Specific Data Sets [10]. This is a renowned benchmark dataset that contains simulated multi-staged attack scenarios in a protected environment. Since we are interested in fusion of sensor data, we needed to work on sensor alert report generated on the Lincoln Lab dataset. Such a sensor alert report by RealSecure network sensor (Version 6.0) [5], executed with Maximum Coverage Policy on the Lincoln Labs datasets, has been made available by researchers at North Carolina State University as a part of the TIAA (A Toolkit for Intrusion Alert Analysis) project [11]. This sensor alert report was used in the experiments to evaluate the usefulness of the multi-level alert clustering approach. The abstraction hierarchy, as shown in fig. 2, was used to generalize the alert types in the sensor alert report. We should mention that for this experiment, which involved alerts from a signature based sensor and as no anomaly sensors were in use, alert types were abstracted up to level 2. The low level alerts reported by RealSecure were generalized to abstract categories with the help of attack signatures descriptions provided by ISS, Inc.s X-Force database, a very comprehensive threats and vulnerabilities database (http://xforce.iss.net/). In addition, security experts were consulted for their valuable comments/suggestions on the generalization scheme. The results of the preliminary experimental run were encouraging. Along with exact/identical alert clusters, the fusion model was able to identify different types of similar alert clusters at different levels of abstraction. Also, overall quantitative measures for the cluster association strength of each concerned resources were reported. Due to space constraints, results for a limited number of hosts are reported below. In the DDoS 1.0 inside zone sensor alert report, for the host mill (IP: 172.016.115.020, one of the three victim hosts that the attacker compromised individually and then used to launch the DDoS attack), the fusion model reported five different alert clusters, the maximum number of clusters found for an individual host. The different alert clusters reported for mill are shown in Table II.
TABLE II MULTI-LEVEL CLUSTERS GENERATED FOR HOST MILL
Cluster Name # of Contri buting Alerts Similar_Source_Similar_Attack_Similar_Time Similar_Source_Same_Attack_Similar_Time Same_Source_Same_Time_Similar_Attack Same_Source_Same_Attack_Similar_Time Same_Source_Same_Attack_Same_Time 2 2 2 9 8 Cluster Strength 0.43 0.632 0.8 0.776 0.894

S (C
n

k =1

k =1

)( t n ) * I ki ( t n ) I ki ( t n )

It should be pointed out that CAS can be considered a confidence score given by the fusion model to represent the degree of concern for a particular resource in its involvement in identical attack trends. IV. PRELIMINARY RESULTS AND CONCLUSION To evaluate the effectiveness of the alert clustering technique based on fuzzy cognitive modeling, preliminary

In this case, the cluster comprising of alerts with exact matched attribute values (last row in the table) is, Same_Source_Same_Attack_Same_Time and includes eight alerts in total. With multi-level alert clustering, fifteen more alerts were found to be similar and grouped in four different clusters. An example is a generalized cluster

Same_Source_Same_Time_Similar_Attack (middle row in Table II), which grouped two similar alerts with source IP: 202.077.162.213, generalized attack type Host_Information_ Leakage, occurring at same times. For these two alerts, the particular alert names reported by the sensor are Telnet_Terminal_Type, and Telnet_Env_All. Although the alert names do not match at the specific level, both of these alerts indicate that sensitive information related to host terminal has been communicated and thus can be generalized to the same abstract alert type. Therefore, it makes sense to find similarity between them at the particular abstraction level. Along with identifying same/similar clusters, the fusion model reported degrees of extent of the concerned hosts involvement in such clusters or common attack patterns. In the example shown in Table II, the overall cluster association strength reported for host mill was: 72.03%. The highest cluster association strength (85.01%) was reported for another victim host locke (IP: 172.016.112.010). This is due to the fact that for this particular host, the alerts grouped together required least effort in generalization to find matching. This supports the notion that higher cluster association strength indicates the presence of more specific alert clusters for a particular host and lower cluster association strength indicates presence of more generalized alert clusters. The above represents only partial results from the preliminary experiments we conducted. The results of the experiments show potential for the multi-level alert clustering approach. Currently, we are in the process of conducting more experiments and refining the clustering technique. We expect to achieve improved results and will report the results in future publications. The limitations of this approach include mapping requirement of sensor alert types into generalization hierarchy. Although our approach requires knowledge of attack behavior in terms of its impact, the use and encoding of this knowledge is straightforward. We have found FCMs to be particularly suitable in dynamic environment as they are flexible enough to capture adaptive nature of human knowledge. Our ongoing research concentrates on developing a unified alert fusion model which will combine alert prioritization, alert clustering and alert correlation in a single framework and can be used to provide a security administrator with a better overall understanding of the health of the system resources. Also, we are developing a model that will be suitable for a high performance computing cluster environment. REFERENCES
[1] [2] [3] [4] D. Brubaker, Fuzzy Cognitive Maps, EDN Access, Apr. 1996. F. Cuppens, Managing Alerts in a Multi-Intrusion Detection Environment, Proceedings: 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, Dec. 2001. O. M. Dain and R. K. Cunningham, Building Scenarios from a Heterogeneous Alert Stream, IEEE Transactions on Systems, Man and Cybernetics, 2002. H. Debar and A. Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, Proceedings: 4th International Symposium on Recent Advances in Intrusion Detection (RAID), Davis, CA, Oct. 2001.

[5] [6]

[7] [8] [9] [10]

[11] [12]

[13]

[14]

[15] [16]

Internet Security Systems, RealSecure Network 10/100, http://www.iss.net/products_services/enterprise_protection/rsnetwo rk/sensor.php (current March 30, 2005). K. Julisch, Mining Alarm Clusters to Improve Alarm Handling Efficiency, Proceedings: 17th Annual Computer Security Applications Conference (ACSAC'01), New Orleans, LA, December 10 - 14, 2001. B. Kosko, Fuzzy Cognitive Maps, International Journal of ManMachine Studies, vol. 24, 1986, pp. 65-75. B. Kosko, Neural Networks and Fuzzy Systems: A Dynamical Systems Approach to Machine Intelligence, Prentice Hall, Englewood Cliffs, NJ, 1992. B. Kosko, Fuzzy Engineering, Prentice Hall, Upper Saddle River , NJ, 1997. M.I.T Lincoln Laboratory, 2000 DARPA Intrusion Detection Scenario Specific Data Sets, http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html (current March 30, 2005) P. Ning, TIAA: A Toolkit for Intrusion Alert Analysis, http://discovery.csc.ncsu.edu/software/correlator/ current March 30, 2005). A Siraj, S.M. Bridges, and R.B. Vaughn, Fuzzy Cognitive Maps for Decision Support in an Intelligent Intrusion Detection System, Proceedings: International Fuzzy Systems Association/ North American Fuzzy Information Processing Society (IFSA/NAFIPS) Conference on Soft Computing, Vancouver, Canada, Jul. 2001. A. Siraj, R. B. Vaughn, A Cognitive Model for Alert Correlation in a Distributed Environment, To appear in Proceedings: IEEE International Conference on Intelligence and Security Informatics, to be held in Atlanta, Georgia, May 2005. D. Stylios and P. P. Groumpos, Soft Computing Approach for Modeling the Supervisor of Manufacturing Systems, Journal of Intelligent and Robotics Systems, vol. 26, n. 3-4, 1999, pp. 389403. A. Valdes and K. Skinner, Probabilistic Alert Correlation, Proceedings: 4th International Symposium on Recent Advances in Intrusion Detection (RAID), 2001. J.Q. Xin, J.E. Dickerson, and J.A. Dickerson, Fuzzy Feature Extraction and Visualization for Intrusion Detection, Proceedings: FUZZ-IEEE, St. Louis, MO, 2003.