Classification of intrusion detection alerts using abstaining classifiers

Intelligent Data Analysis

Volumn 11, Issue 3, 2007, Pages 293-316

  Pietraszek, Tadeusz ^a  

^a IBM RESEARCH ZURICH   (Switzerland)

Author keywords

Abstaining classifiers; Alert classification; False positives; Intrusion detection

Indexed keywords

EID: 34547433148     PISSN: 1088467X     EISSN: 15714128     Source Type: Journal    
DOI: 10.3233/ida-2007-11306     Document Type: Article

References (48)

1. J.P. Anderson, Computer security threat monitoring and surveillance. Technical report, James P. Anderson Co., 1980.
2. S. Axelsson, The base-rate fallacy and its implications for the intrusion detection, in: Proceedings of the 6th ACM Conference on Computer and Communications Security, Kent Ridge Digital Labs, Singapore, 1999, pp. 1-7.
3. E. Bloedorn, B. Hill, A. Christiansen, C. Skorupka, L. Talbot and J. Tivel, Data mining for improving intrusion detection, Technical report, MITRE Corporation, 2000.
4. W.W. Cohen, Fast effective rule induction, In Armand Prieditis and Stuart Russell, editors, Proceedings of the 12th International Conference on Machine Learning, Tahoe City, CA, 1995. Morgan Kaufmann Publishers, 115-123.
5. A. Cuff, Talisker intrusion detection prevention systems, Web page at http://www.networkintrusion.co.uk/ids.htm, 2005.
6. F. Cuppens, Managing alerts in a multi-intrusion detection environment, in: Proceedings 17th Annual Computer Security Applications Conference, New Orleans, 2001, pp. 22-31.
7. O. Dain and R.K. Cunningham, Fusing a heterogeneous alert stream into scenarios, in: Proceedings of the 2001 ACM Workshop on Data Mining for Security Application, Philadelphia, PA, 2001, 1-13.
8. H. Debar and A. Wespi, Aggregation and correlation of intrusion-detection alerts, in: Recent Advances in Intrusion Detection (RAID2001), (Vol. 2212) of Lecture Notes in Computer Science, Springer-Verlag, 2001, pp. 85-103.
9. D.E. Denning, An intrusion detection model, IEEE Transactions on Software Engineering SE-13(2) (1987), 222-232.
10. P. Domingos, Metacost: A general method for making classifiers cost-sensitive, in: Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, CA, 1999, pp. 155-164.
11. C. Drummond and R.C. Holte, Explicitly representing expected cost: An alternative to ROC representation, in: Proceedings of the Sixth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ACM Press, 2000, pp. 198-207.
12. W. Fan, Cost-Sensitive, Scalable and Adaptive Learning Using Ensemble-based Methods, PhD thesis, Columbia University, 2001.
13. W. Fan, W. Lee, S.J. Stolfo and M. Miller, A multiple model cost-sensitive approach for intrusion detection, in: Proceedings of the ECML 2000, 11th European Conference on Machine Learning, (Vol. 1810) of Lecture Notes in Computer Science, Barcelona, Spain, 2000. Springer-Verlag, pp. 142-153.
14. T. Fawcett, ROC graphs: Notes and practical considerations for researchers (HPL-2003-4), Technical report, HP Laboratories, 2003.
15. C. Ferri and J. Hernández-Orallo, Cautious classifiers, in: Proceedings of ROC Analysis in Artificial Intelligence, 1st International Workshop (ROCAI-2004), Valencia, Spain, 2004, pp. 27-36.
16. P.A. Flach and S. Wu, Repairing concavities in ROC curves, in: Proceedings 2003 UK Workshop on Computational Intelligence, Bristol, UK, 2003, pp. 38-44.
17. D. Gamberger and N. Lavrač, Reducing misclassification costs, in: Principles of Data Mining and Knowledge Discovery, 4th European Conference (PKDD 2000), (Vol. 1910) of Lecture Notes in Artificial Intelligence, Lyon, France, 2000. Springer Verlag, pp. 34-43.
18. R. Heady, G. Luger, A. Maccabe and M. Servilla, The architecture of a network level intrusion detection system, Technical report, University of New Mexico, 1990.
19. S. Hettich and S.D. Bay, The UCIKDD Archive, Web page at http://kdd.ics.uci.edu, 1999.
20. V. Jacobson, C. Leres and S. McCanne, TCPDUMP public repository, Web page at http://www.cpdump.org/, 2003.
21. K. Julisch, Using Root Cause Analysis to Handle Intrusion Detection Alarms, PhD thesis, University of Dortmund, Germany, 2003.
22. N. Lachiche and P. Flach, Improving accuracy and cost of two-class and multi-class probabilistic classifiers using ROC curves, in: Proceedings of the Twentieth International Conference on Machine Learning (ICML-2003), Washington, DC, 2003. AAAI, pp. 609-616. Press.
23. N. Lavrač and S. Džeroski, Inductive Logic Programming: Techniques and Applications, Ellis Horwood, 1994.
24. W. Lee, A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, PhD thesis, Columbia University, 1999.
25. W. Lee, W. Fan, M. Miller, S.J. Stolfo and E. Zadok, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security 10(1-2) (2002), 5-22.
26. R. Lippmann, J.W. Haines, D.J. Fried, J. Korba and K. Das, The 1999 DARPA off-line intrusion detection evaluation, Computer Networks: The International Journal of Computer and Telecommunications Networking 34(4) (2000), 579-595.
27. R. Lippmann, S. Webster and D. Stetson, The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection, in: Recent Advances in Intrusion Detection (RAID2002), volume 2516 of Lecture Notes in Computer Science, Springer-Verlag, 2002, pp. 307-326.
28. R.P. Lippmann, D.J. Fried, I. Graf, J.W. Haines, K.R. Kendall, D. McClung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham and M.A. Zissman, Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation, in: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, (Vol. 1),Hilton Head, SC, 2000, pp. 1012-1035.
29. M.V. Mahoney and RK. Chan, An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection, in: Recent Advances in Intrusion Detection (RAID2003), (Vol. 2820) of Lecture Notes in Computer Science, Springer-Verlag, 2003, pp. 220-237.
30. M.A. Maloof and R.S. Michalski, Incremental learning with partial instance memory, in: Proceedings of Foundations of Intelligent Systems: 13th International Symposium, ISMIS 2002, (Vol. 2366) of Lecture Notes in Artificial Intelligence, Springer-Verlag, 2002, pp. 16-27.
31. S. Manganaris, M. Christensen, D. Zerkle and K. Hermiz, A data mining analysis of RTID alarms, Computer Networks: The International Journal of Computer and Telecommunications Networking 34(4) (Oct. 2000), 571-577.
32. J. McHugh, The 1998 Lincoln Laboratory IDS evaluation. A critique, in: Recent Advances in Intrusion Detection (RAID2000), (Vol. 1907) of Lecture Notes in Computer Science, Springer-Verlag, 2000, pp. 145-161.
33. J. McHugh, Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory, ACM Transactions on Information and System Security 3 (2001), 262-294.
34. MIT Lincoln Laboratory, 1999 DARPA intrusion detection evaluation data set. Web page at http://www.ll.mit.edu/IST/ideval/data/1999/1999_data_index. html, 1999.
35. B. Morin, L. Mé, H. Debar and M. Ducasse, M2D2: A formal data model for IDS alert correlation, in: Recent Advances in Intrusion Detection (RAID2002), (Vol. 2516) of Lecture Notes in Computer Science, Springer-Verlag, 2002, pp. 115-137.
36. P. Ning, Y. Cui and D.S. Reeves, Constructing attack scenarios through correlation of intrusion alerts, in: Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, pp. 245-254.
37. V. Paxson, Bro: A system for detecting network intruders in real-time, Computer Networks 31(23-24) (1999), 2435-2463.
38. M.J. Pazzani, P. Murphy, K. Ali and D. Schulenburg, Trading off coverage for accuracy in forecasts: Applications to clinical data analysis, in: Proceedings of AAAI Symposium on AI in Medicine, Stanford, CA, 1994, pp. 106-110.
39. T. Pietraszek, Using adaptive alert classification to reduce false positives in intrusion detection, in: Recent Advances in Intrusion Detection (RAID2004), (Vol. 3324) of Lecture Notes in Computer Science, Sophia Antipolis, France, 2004. Springer-Verlag, pp. 102-124.
40. T. Pietraszek, Optimizing abstaining classifiers using ROC analysis, in: Machine Learning, Proceedings of the Twenty-second International Conference (ICML 2005), Bonn, Germany, 2005, pp. 665-672.
41. T. Pietraszek, On the optimization of abstaining classifiers using ROC analysis, Machine Learning Journal, (to appear), 2006.
42. F. Provost and T. Fawcett, Robust classification systems for imprecise environemnts, in: Proceedings of the Fifteenth National Conference on Artificial Intellignence (AAAI-98), AAAI Press, 1998, pp. 706-713.
43. M. Roesch, SNORT. The Open Source Network Intrusion System, Web page at http://www.snort.org, 1998-2005.
44. T.E. Senator, Multi-stage classification, in: Proceedings of the 5th IEEE International Conference on Data Mining (ICDM 2005), Houston, TX, 2005. IEEE Computer Society, pp. 386-393.
45. R. Sommer and V. Paxson, Enhancing byte-level network intrusion detection signatures with context, in: Proceedings of the 10th ACM Conference on Computer and Communication Security, Washington, DC, 2003, pp. 262-271.
46. K.M. Ting, Inducing cost-sensitive trees via instance weighting, in: Proceedings of The Second European Symposium on Principles of Data Mining and Knowledge Discovery, (Vol. 1510) of Lecture Notes in AI, Springer-Verlag, 1998, pp. 139-147.
47. A. Valdes and K. Skinner, Probabilistic alert correlation, in: Recent Advances in Intrusion Detection (RAID2001), (Vol. 2212) of Lecture Notes in Computer Science, Springer-Verlag, 2001, pp. 54-68.
48. J. Wang and I. Lee, Measuring false-positive by automated real-time correlated hacking behavior analysis, in: Information Security 4th International Conference, (Vol. 2200) of Lecture Notes in Computer Science, Springer-Verlag, 2001, pp. 512-535.