Kleber Stroeh, Prof. Edmundo Madeira and Prof. Siome Goldenstein had a paper accepted at the Journal of Internet Services and Applications: An approach to the correlation of security events based on machine learning techniques. Here’s the abstract:
This work presents an approach on how to collect and normalize, as well as how to fuse and classify, security alerts. This approach involves collecting alerts from different sources and normalizes them according to standardized structures — IDMEF (Intrusion Detection Message Exchange Format). The normalized alerts are grouped into meta-alerts (fusion, or clustering), which are later classified using machine learning techniques into attacks or false alarms.
The fulltext is already available at the publisher’s site: doi:10.1186/1869-0238-4-7.