Intrusion detection systems are among the important tools in network security that notify the networkadministrator of the intrusions or attacks by issuing alerts. These alerts do not necessarily contain useful information and because of the possibility of false alerts, they need further analysis to provide an accurate and complete report of the security status of network. Due to the large number of alerts, management and analysis of alerts cannot be performed manually by network administrator. Alert correlation is a promising method for reducing the number of alerts, deleting irrelevant alerts and finding logical relationship between them that provide a high-level view of the security situation for network administrators. Several correlation methods have been proposed so far, but each one of them have solved only some of the issues in the alert correlation and they are different in terms of performance and accuracy. However, in large networks and complicated attack methods,recognizing missing alerts and detecting new attack scenarios are novel challenges in this area. In this thesis, we propose a hybrid alert correlation system that is composed of two parts. In the firstpart, a causal correlation algorithm based on attack graph is used to detect known attacks. This algorithm has thecapability of hypothesizing missed alerts. In the second part, a correlation algorithm based on featuresimilarity is proposed to discover unknown attack scenarios. These two parts of the system work together and ifthe first part is not able to correlate a new alert, the second part is used to do it.Moreover, the proposed hybridsystem is able to detect attack graph defects.It can also aggregate similar alerts. Simulation results on DARPA2000 dataset confirm the accuracy and efficiency of the proposed system for real-time applications. Keywords: Network Security, Intrusion Detection System, Alert, Alert Correlation