Cross-Correlation

Applies to Product: USM Appliance™ AlienVault OSSIM®

Cross-correlation is a special type of correlation performed by the USM Appliance. The USM Appliance Server uses cross-correlation to modify the reliability of a Network Intrusion Detection System (NIDS) event, which subsequently affects the risk assessment of the event.

USM Appliance only performs cross-correlation on events with destination IP address defined, and the system checks if any vulnerability has been identified on that destination. if the IDS has discovered an attack to an IP address, and a related vulnerability has been found on the same IP, the reliability of the IDS event increases to 10.

The figure below provides an example, where the AlienVault Vulnerability Scanner detects the IIS remote command execution vulnerability on a server, and the AlienVault NIDS A USM Appliance feature and data source for intrusion detection that monitors network traffic and detects malicious events. In conjunction with event correlation, it enhances the threat detection capabilities of USM Appliance. reports an attack exploiting that vulnerability on the same server.

Cross-correlation example—IIS remote command execution.

AlienVault OSSIM Limitations: USM Appliance includes a faster and more robust correlation section with more complex correlation directives. AlienVault OSSIM has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.