The goal of intrusion detection is to monitor the activity of an information system for the occurrence of malicious activities intended to violate the security policy governing the confidentiality, integrity and availability of services and data. In order to maintain a complete picture of the security, several intrusion detection systems need to be distributed throughout the monitored network. However, since these systems are susceptible of generating a large amount of inaccurate and redundant observations, an additional layer is necessary to reason about these observations. This is the purpose of alarm correlation. The PLACID project addresses two major challenges in alarm correlation, namely the problem of cooperation between heterogeneous sensors and the uncertainty of observations. Having a common logic is a prerequisite for any correlation approach to reason about security observations. Indeed, most correlation schemes proposed so far need information about attacks and the context in which they occur. Besides, there is currently no formal language that fully allows to describe these information, even if some languages provide a formal description of preconditions and consequences of actions. Therefore, the first objective of the project is to propose formal logics, with a special focus on a description logics, that federate the information required for intrusion detection components to cooperate, to reason about events and to model admnistrator's preferences. These logics would provide a strong theoretical foundation and a methodological tool for any alarm correlation techniques. Uncertainty of alerts and observations is one of the major challenges in intrusion detection. Indeed, a majority of the numerous alerts triggered by intrusion detection system turn out to be false alarms. We propose to study the use of Bayesian networks, which are a well known paradigm for reasoning under uncertainty, in order to reduce attack's scenarios, to evaluate a success of a given attack and to enhance the diagnosis of alerts by taking into account evidence information modeled in the aforementioned description logic.