Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

An Alert Data Mining Framework for Network-Based Intrusion Detection System

  • Conference paper
Information Security Applications (WISA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3786))

Included in the following conference series:

Abstract

Intrusion detection techniques have been developed to protect computer and network systems against malicious attacks.  However, there are no perfect intrusion detection systems or mechanisms, because it is impossible for the intrusion detection systems to get all the packets in the network system. Current intrusion detection systems cannot fully detect novel attacks or variations of known attacks without generation of a large amount of false alerts. In addition, all the current intrusion detection systems focus on low-level attacks or anomalies. Consequently, the intrusion detection systems usually generate a large amount of alerts. And actual alerts may be mixed with false alerts and unmanageable. As a result, it is difficult for users or intrusion response systems to understand the intrusion behind the alerts and take appropriate actions. The standard format of alert messages is not yet defined. Alerts from heterogeneous sensors have different types although they are actually same. Also false alarms and frequent alarms can be used as Denial of Service attack as alarm messages by themselves and cause alert flooding. So we need to minimize false alarm rate and prevent alert flooding through analyzing and merging of alarm data. In this paper, we propose a data mining framework for the management of alerts in order to improve the performance of the intrusion detection systems. The proposed alert data mining framework performs alert correlation analysis by using mining tasks such as axis-based association rule, axis-based frequent episodes and order-based clustering. It also provides the capability of classifying false alarms in order to reduce false alarms from intrusion detection system. The final rules that were generated by alert data mining framework can be used to the real time response of the intrusion detection system and to the reduction of the volume of alerts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Schnackenberg, D., Djahandari, K., Sterne, D.: Infrastructure for Intrusion Detection and Response. In: Proceedings of the DARPA ISCE, Hilton Head, SC (January 2000)

    Google Scholar 

  2. Lee, M.J., Shin, M.S., Moon, H.S., Ryu, K.H.: Design and Implementation of Alert Analyzer with Data Mining Engine. In: Liu, J., Cheung, Y.-m., Yin, H. (eds.) IDEAL 2003. LNCS, vol. 2690. Springer, Heidelberg (2003)

    Google Scholar 

  3. Lee, W., Stolfo, S.J., Mok, K.W.: A Data Mining Framework for Building Intrusion Detection Models. In: Proc. The 2nd International Symposium on Recent Advances in Intrusion Detection (RAID 1999) (1999)

    Google Scholar 

  4. Ross Quinlan, J.: C4.5: Programs for and Neural Networks, Machine Learning. Morgan Kaufman publishers, San Francisco (1993)

    Google Scholar 

  5. Snort. Open-source Network Intrusion Detection System, http://www.snort.org

  6. Spafford, E.H., Zamboni, D.: Intrusion detection using autonomous agents. Computer Networks 34, 547–570 (2000)

    Article  Google Scholar 

  7. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  8. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Tcpdump/Libpcap, Network Packet Capture Program (2003), http://www.tcpdump.org

  10. Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions, Technical Report TR-2002-01, Department of Computer Science, North Carolina State University

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer Science, KonKuk University, Danwol-Dong, Chungju-Si, Chungbuk, 380-701, Korea

    Moon Sun Shin

  2. ChungCheong University, Korea

    Kyeong Ja Jeong

Authors
  1. Moon Sun Shin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kyeong Ja Jeong
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Yonsei University, Shinchon-Dong, 134, Seodaemun-gu, 120-749, Seoul, Korea

    Joo-Seok Song

  2. School of Computer Science and Engineering, Seoul National University,  

    Taekyoung Kwon

  3. Computer Science Department, Google Inc. and Columbia University, 1214 Amsterdam Avenue, 10027, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Shin, M.S., Jeong, K.J. (2006). An Alert Data Mining Framework for Network-Based Intrusion Detection System. In: Song, JS., Kwon, T., Yung, M. (eds) Information Security Applications. WISA 2005. Lecture Notes in Computer Science, vol 3786. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11604938_4

Download citation

  • DOI: https://doi.org/10.1007/11604938_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31012-9

  • Online ISBN: 978-3-540-33153-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation