Abstract:The rapid development of the Internet also causes more and more network threats. How to detect the network threats in a real-time and accurate manner becomes one of the key technique issues. The alert-correlation-based network threat detection technique is becoming the research hotspot, which couples with the widely used security products and fully exploits the relation between abnormal events to reconstruct the attack scenario. Starting from the features of network threats and security environment, the requirements and classification of network threat detection were introduced. Then the basic concepts and system model of alert-correlation-based network threat detection technique were illustrated in detail. The key module of the model, aler correlation method, and the fundamentals and features of different kinds of typical algorithm were studied in detail, including causal-relation-based method, case-based method, similarity-based method and data-mining-based method. Furthermore, three kinds of representative detection system architectures were discussed with practical instances, namely centralized architecture, hierarchical architecture and distributed architecture. Finally, based on the analysis of recent research work, the future work is discussed and outlined.