Time series modeling for IDS alert management

Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, ASIACCS '06

Volumn 2006, Issue , 2006, Pages 102-113

  Viinikka, Jouni ^a   Debar, Hervé ^a   Mé, Ludovic ^b   Séguier, Renaud ^b  

^a ORANGE LABS   (France)

^b SUPELEC Campus de Rennes   (France)

Author keywords

Experimentation; Security

Indexed keywords

INFORMATION SYSTEMS; TIME SERIES ANALYSIS; USER INTERFACES;

ALERTS; OPERATIONAL INFORMATION SYSTEMS; REAL WORLD DATA;

INTRUSION DETECTION;

EID: 33847395411     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1128817.1128835     Document Type: Conference Paper

References (19)

1. S. Axelsson. The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In Proc. of the ACM CCS'99, Nov. 1999.
2. P. Barford, J. Kline, D. Plonka, and A. Ron. A Signal Analysis of Network Traffic Anomalies. In Proc of ACM SIGCOMM Internet Measurement Workshop, Nov. 2002.
3. P. J. Brockwell and R. A. Davis. Time series: theory and methods. Springer Texts in Statistics, 1991.
4. P. J. Brockwell and R. A. Davis. Introduction to time series and forecasting. Springer Texts in Statistics, 2002.
5. H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. of the RAID'02 Springer-Verlag, 2002.
6. H. Debar and A. Wespi. Aggregation and Correlation of Intrusion-Detection Alerts. In Proc. of the RAID'01. Springer-Verlag, 2001.
7. K. Julisch. Mining Alarm Clusters to Improve Alarm Handling Efficiency. In Proc. of the ACS AC'01, Dec. 2001.
8. K. Julisch and M. Dacier. Mining Intrusion. Detection Alarms for Actionable Knowledge. In Proc. of the SIGKDD'02, 2002.
9. C. Kruegel and W. Robertson. Alert verification: Determining the success of intrusion attempts. In Proc. of the DIMVA '04, Dortmund, Germany, July 2004.
10. G. M. Ljung and G. E. P. Box. On a Measure of Lack of Fit in Time Series Models. Biometrica, 65(2):297-303, Aug. 1978.
11. 2 Statistic and EWMA Control Chart. URL: http://arqos.csc.ncsu.edu/papers.htm, Feb. 2002.
12. S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz. A Data Mining Analysis of RTID Alarms, RAID'99, 1999.
13. H. Mannila, H. Toivonen, and A. I. Virkamo. Discovering Frequent Episodes In Sequences. In Proc. of the KDD'95, 1995.
14. P. A. Porras, M. W. Fong, and A. Valdes. A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In Proc. of the RAID'02. Springer-Verlag, 2002.
15. X. Qin and W. Lee. Statistical Causality Analysis of INFOSEC Alert Data. In Proc. of the RAID'09. Springer-Verlag, 2003.
16. A. Valdes and K. Skinner. Probabilistic Alert Correlation. In Proc. of the RAID'01. Springer Verlag, 2001.
17. J. Viinikka and H. Debar. Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information. In Proc. of the RAID'04, Springer-Verlag, 2004.
18. N. Ye, C. Borror, and Y. Chang. EWMA Techniques for Computer Intrusion Detection Through Anomalous Changes In Event Intensity. Quality and Reliability Engineering International, 18:443-451, 2002.
19. N. Ye, S. Vilbert, and Q. Chen. Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data. IEEE Transactions on Reliability, 52(1):75-82, Mar. 2003.