Intrusion detection systems, network analyzers, network monitors, and other information security devices are all used to detect computer network problems. These systems and devices typically generate alerts that identify specific problems or events caused by hacker attacks, hardware failure, operator error, etc.
As networks become larger, the number of alerts generated by a network's intrusion detection systems and other information security devices grows as well. Even when multiple alerts related to a specific event or attack are consolidated into alert groups, it is still difficult for a network manager (a person) to prioritize the alerts, and to act on those alerts that reflect the biggest threat to network operations. And even if a network's intrusion detection systems and other information security devices do not generate a large number of alerts, the network manager may not have sufficient training or experience to prioritize alerts effectively.
U.S. patent application Ser. No. 09/626,547, filed Jul. 25, 2000, entitled “Network Based Alert Management Process,” and incorporated herein by reference, describes a system for alert correlation and alert ranking that uses discrete algorithms. Although the system described in that patent application is very effective at ranking alerts, it is not easily adaptable to reflect changes in a network or changes in the security preferences of a network manager.