Computer networks and systems have become indispensable tools for modern business. Today terabits of information on virtually every subject imaginable are stored in and accessed across such networks by users throughout the world. Much of this information is, to some degree, confidential and its protection is required. Not surprisingly then, various network security monitor devices have been developed to help uncover attempts by unauthorized persons and/or devices to gain access to computer networks and the information stored therein.
Network security products largely include Intrusion Detection Systems (IDS's), which can be Network or Host based (NIDS and HIDS respectively). Other network security products include firewalls, router logs, and various other event reporting devices. Due to the size of their networks, many enterprises deploy hundreds, or thousands of these products thoughts their networks. Thus, network security personnel are bombarded alarms representing possible security threats. Most enterprises do not have the resources or the qualified personnel to individually attend to all of the received alarms.
Furthermore, many large organizations deploy these devices locally at each of their sites to distribute computational resources and to limit bandwidth use. Since security events generally concern local attacks, such division is generally helpful. However, localizing network security can have disadvantages, since not all available and relevant information is used during the threat analysis and decision making.