The most big problem on intrusion detection system is that intrusion detection system generate too many events, so that security operator can not identify what is happening on their systems. These events should be automatically minimized by abstracting related events to single event, by filtering events of no importance. Complex Event Processing is good technique for this purpose.
When we use network-based intrusion detection system only, we can get events of attack signature only. In this case, we can not use Complex Event Processing technique because it have native weakness of partial ordering of events.
In our system, we classify attack events of Network-based intrusion detection system into 1-1, 1-N, N-1, N-M attack class, and provide four filters for each attack classes. Also, we made new event model which well describe both raw attack events and abstracted attack events.
In our experiment, we reduced 14,185 raw events by 98.47% and this is supposed to quite good result.