Multi‐sensor intrusion detection systems (IDSs) combine the alerts raised by individual IDSs and possibly other kinds of devices such as firewalls and antivirus software. A critical issue in building a multi‐sensor IDS is alert‐correlation, i.e., determining which alerts are caused by the same attack. This paper explores a novel approach to alert correlation using case‐based reasoning (CBR). Each case in the CBR system’s library contains a pattern of alerts raised by some known attack type, together with the identity of the attack. Then during run time, the alert streams gleaned from the sensors are compared with the patterns in the cases, and a match indicates that the attack described by that case has occurred. For this purpose the design of a fast and accurate matching algorithm is imperative. Two such algorithms were explored: (i) the well‐known Hungarian algorithm, and (ii) an order‐preserving matching of our own device. Tests were conducted using the DARPA Grand Challenge Problem attack simulator. These showed that the both matching algorithms are effective in detecting attacks; but the Hungarian algorithm is inefficient; whereas the order‐preserving one is very efficient, in fact runs in linear time.