Intrusion detection alarms reduction using root cause analysis and clustering

Computer Communications

Volumn 32, Issue 2, 2009, Pages 419-430

  Al Mamory, Safaa O ^a   Zhang, Hongli ^a  

^a HARBIN INSTITUTE OF TECHNOLOGY   (China)

Author keywords

Alarms clustering; False positive; Intrusion detection system; Network security; Root causes

Indexed keywords

ALARM SYSTEMS; COMPUTER CRIME; ERRORS; INTERNET; NETWORK SECURITY; SECURITY OF DATA; TURBULENT FLOW;

ALARMS CLUSTERING; AUTOMATED SYSTEMS; CLUSTERING METHODS; CLUSTERING TECHNIQUES; DATA SETS; FALSE ALARMS; FALSE POSITIVE; INTRUSION DETECTION SYSTEM; NEW TECHNIQUES; REDUCTION RATIOS; ROOT CAUSE ANALYSES; ROOT CAUSES; SECURITY BREACHES;

INTRUSION DETECTION;

EID: 58149488644     PISSN: 01403664     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comcom.2008.11.012     Document Type: Article

References (41)

1. Manganaris S., Christensen M., Zerkle D., and Hermiz K. A data mining analysis of RTID alarms. Journal of Computer Network 34 (2000) 571-577
2. Julisch K. Clustering intrusion detection alarms to support root cause analysis. ACM Transaction on Information and System Security 6 (2003) 443-471
3. Perdisci R., Giacinto G., and Roli F. Alarm clustering for intrusion detection systems in computer networks. Journal of Engineering Application of Artificial Intelligence 19 (2006) 429-438
4. K. Julisch, Using root cause analysis to handle intrusion detection alarms, Ph.D. dissertation, University of Dortmund, 2003.
5. O.M. Dain, R.K Cunningham, Fusing a heterogeneous alert stream into scenarios, in: Proceeding of the 2001 ACM Workshop on Data Mining for Security Applications, 2001, pp. 231-235.
6. Ning P., Cui Y., Reeves D.S., and Xu D. Techniques and tools for analyzing intrusion alerts. ACM Transaction on Information and System Security 7 (2004) 274-318
7. S.O. Al-Mamory, H. Zhang, A survey on IDS alerts processing techniques, in: Proceeding of the 6th WSEAS International Conference on Information Security and Privacy (ISP'07), Spain, 2007, pp. 69-78.
8. A. Siraj, R. Vaughn, Multi-level alert clustering for intrusion detection sensor data, in: Proceeding of North American Fuzzy Information Processing Society International Conference on Soft Computing for Real World Applications, Michigan, 2005.
9. A. Valdes, K. Skinner, Probabilistic alert correlation, in: Proceeding of the Recent Advances in Intrusion Detection, LNCS 2212, 2001, pp. 54-68.
10. Zhu B., and Ghorbani A.A. Alert correlation for extracting attack strategies. International Journal of Network Security 3 3 (2006) 244-258
11. Smith R., Japkowicz N., Dondo M., and Mason P. Using unsupervised learning for network alert correlation. LNCS Advances in Artificial Intelligence (2008) 308-319
12. T. Pietraszek, Using adaptive alert classification to reduce false positives in intrusion detection, in: Proceeding of the Recent Advances in Intrusion Detection, France, 2004, pp. 102-124.
13. Livingston A.D., Jackson G., and Priestley K. Root Cause Analysis: Literature Review (2001), HSE Books pp. 1-62
14. M. Paradies, D. Busch, Root cause analysis at Savannah river plant, in: Proceeding of the IEEE Conference on Human Factors and Power Plants, 1988, pp. 479-483.
15. M. Roesch, Snort-lightweight intrusion detection for networks, in: Proceeding of the 1999 USENIX LISA Conference, 1999, pp. 229-238.
16. Hand D., Mannila H., and Smyth P. Principles of Data Mining (2001), The MIT Press
17. Bellovin S.M. Packets found on an internet. Journal of Computer Communication Review 23 (1993) 26-31
18. Han J., and Fu Y. Exploration of the power of attribute-oriented induction in data mining. In: Fayyad U.M., Piatetsky-Shapiro G., Smyth P., and Uthurusamy R. (Eds). Advances in Knowledge Discovery and Data Mining (1996), AAAI/MIT Press 399-421
19. Han J., Cai Y., and Cercone N. Data-driven discovery of quantitative rules in relational databases. IEEE Transaction on Knowledge and Data Engineering 5 (1993) 29-40
20. J. Dougherty, R. Kohavi, M. Sahami, Supervised and unsupervised discretization of continuous features, in: Proceedings of the 12th International Conference on Machine Learning, 1995, pp. 194-202.
21. J. Han, Y. Fu, Dynamic generation and refinement of concept hierarchies for knowledge discovery in databases, in: Proceedings of the AAAI Workshop on Knowledge Discovery in Databases, 1994, pp. 157-168.
22. Y. Lu, Concept Hierarchy in Data Mining: Specification, Generation, and Implementation, Master's Thesis, Simon Fraser University, Canada, 1997.
23. T. Pietraszek, Alert classification to reduce false positives in intrusion detection, Ph.D. dissertation, Institut für Informatik, Albert-Ludwigs-Universität Freiburg, Germany, July 2006.
24. Han J., and Kamber M. Data Mining: Concepts and Techniques (The Morgan Kaufmann Series in Data Management Systems) (2000), Morgan Kaufmann
25. O. Heinonen H. Mannila, Attribute-oriented induction and conceptual clustering, Technical Report, University of Helsinki, Department of Computer Science, 1996.
26. K. Julisch, Mining alarm clusters to improve alarm handling efficiency, in: Proceeding of the 17th Annual Computer Security Applications Conference, New Orleans, 2001, pp. 12-21.
27. Jain A.K., Murty M.N., and Flynn P.J. Data clustering: a review. ACM Computing Surveys 31 (1999) 264-323
28. Theodoridis S., and Koutroubas K. Pattern Recognition (1999), Academic Press
29. Halkidi M., Batistakis Y., and Vazirgiannis M. On clustering validation techniques. Journal of Intelligent Information Systems 17 (2001) 107-145
30. Berry M.J.A., and Linoff G. Data Mining Techniques for Marketing, Sales and Customer Support (1996), John Wiley & Sons, Inc.
31. M. Halkidi, M. Vazirgiannis, I. Batistakis, Quality scheme assessment in the clustering process, in: Proceeding of the 4th European Conference on Principles of Data Mining and Knowledge Discovery, 2000, pp. 265-276.
32. Rezaee M.R., Lelieveldt B.B.F., and Reiber J.H.C. A new cluster validity index for the fuzzy c-mean. Pattern Recognition Letters 19 (1998) 237-246
33. Sharma S.C. Applied Multivariate Techniques (1996), John Wiley & Sons
34. Xie X.L., and Beni G. A validity measure for fuzzy clustering. IEEE Transactions on Pattern Analysis and Machine Intelligence 13 8 (1991) 841-847
35. Rousseeuw P.J. Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20 1 (1987) 53-65
36. Bezdek J.C., and Pal N.R. Some new indexes of cluster validity. IEEE Transactions on Systems, Man, and Cybernetics, Part B 28 3 (1998) 301-315
37. Davies D.L., and Bouldin D.W. A cluster separation measure. IEEE Transactions on Pattern Analysis and Machine Intelligence 1 2 (1979) 224-227
38. Mchugh J. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3 4 (2000) 262-294
39. MIT Lincoln Laboratory, 1999 DARPA intrusion detection evaluation data set, 1999. Web page at .
40. Valeur F., Vigna G., Kruegel C., and Kemmerer R.A. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1 3 (2004)
41. J. Han, Y. Cai, N. Cercone, Knowledge discovery in databases: an attribute-oriented approach, in: Proceeding of the 18th International Conference on Very Large Databases, 1992, pp. 547-559.