查看文章

In response to attack against corporative and enterprise networks, administrators deploy intrusion detection systems, monitors, vulnerability scans and log systems. These systems monitor and record host and network device activities searching for signs of anomalies and security incidents. Doing that, these systems generally produce a huge number of alerts that overwhelms security analysts. This paper proposes the application of a conceptual clustering technique for filtering alerts and shows the results obtained for seven months of security alerts generated in a real large scale SaaS Cloud system. The technique has been useful to support manual analysis activities conducted by the operations team of the reference Cloud system.