Cyber Defense Laboratory



TIAA: A Toolkit for Intrusion Alert Analysis
(Version 0.3)

What's new

  • GUI
  • System support for interactive analysis
  • Faster correlation (by adapting main memory index structures and query optimization techniques)
  • Additional representation of correlated alerts
    • chronological correlation graph
  • Reorganize, generalize and add a few analysis utilities:
    • Hyper-alert generating utilities
      • hyper-alert aggregation/disaggregation
      • clustering analysis
      • focused analysis
    • Feature extraction utilities
      • link analysis
      • frequency analysis

Supported Platforms

This tool has been tested on Windows XP with MS SQL server 2000.


Please try version 1.0

Test Data and Execution Procedure

  1. Download this sql statement and execute it in the database to create a target table "events";
  2. Download  any of these alert datasets [scenario 1 (dmz, inside), scenario 2 (dmz, inside)] generated by RealSecure, the data source is DARPA evaluation dataset 2000. You can import it into MS SQL server with the command "bulk insert events from 'file path' with (FIELDTERMINATOR=',');";
  3. Download the sample knowledge base XML file and its schema;
  4. Download the sample property file, name it "" and make some configuration changes (change the dbDriver and dbURL and various file paths: knowledge base path, Original_Graph_Output, ...)

Checklist before you run this tool

  • Java 1.4
  • MS SQL Server and JDBC driver
  • Xerces Java Parser v1.4.1 (You can get it from Apache's website.)
  • GraphViz (You can get it from AT&T's website. )


Main contributors

  • Yiquan Hu
  • Dingbang Xu
  • Pai Peng

Sample Screenshots

A hyper-alert correlation graph

A chronological correlation graph

Link analysis



© 2003 Yiquan Hu and Peng Ning. Last Updated March 16, 2006.