Abstract: Alert correlation is a new promising technology and has drawn more and more attentions in recent years. It can efficiently solve many problems bothering security managers now, such as high false positives (i. e. alerts mistakenly triggered by benign events) , high false negatives (i. e. intrusions mistakenly missed by security mechanisms) , and large amounts of alerts created by security products per day. In the past several years, a lot of vulnerable researches were done in this field,but most of them only focused on few issues. And there are still many challenging problems that have not been addressed wcll,or even not been touched. Researchers of this field need put more efforts into them in the future.This paper gave an overview of the research progress in this area. Firstly, we introduced the common process and the popular architectures of current alert correlation systems. hhen we summarized and compared the main algorithms of three key phases (i. e. alert aggregation and fusing, attack scenarios constructing, and attack plan recognition) in the common process. After these, the main applications of this technology were introduced, and the difficulties and corresponding methods were summarized. At the end of this paper, we analyzed the shortages of current work and the possible new directions in this field.

Key words: Alert correlation, Alert aggregation, Alert fusing, Attack scenarios constructing, Attack plan recognition