A decision support system for constructing an alert classification model

Expert Systems with Applications

Volumn 36, Issue 8, 2009, Pages 11145-11155

  Jan, Nien Yi ^a,c   Lin, Shun Chieh ^b   Tseng, Shian Shyong ^b   Lin, Nancy P ^a  

^a TAMKANG UNIVERSITY   (Taiwan)

^b NATIONAL CHIAO TUNG UNIVERSITY   (Taiwan)

^c CHUNGHWA TELECOM CO LTD   (Taiwan)

Author keywords

Alert classification; Decision support system; Intrusion detection; Model construction; Sequential pattern mining

Indexed keywords

ALERT CLASSIFICATION; ALERT PROCESSING; ANALYSIS METHOD; ATTACK PATTERNS; ATTACK SEQUENCES; CLASSIFICATION RULES; DATA FORMAT; INTRUSION PATTERNS; MODEL CONSTRUCTION; NETWORK ADMINISTRATOR; NETWORK DATA; NETWORK INTRUSIONS; ON-LINE NETWORK; PREPROCESSING PHASE; RAPID GROWTH; ROOT CAUSE; ROOTKITS; SEQUENTIAL PATTERN MINING; THREE PHASIS; TIME INTERVAL;

ARTIFICIAL INTELLIGENCE; DECISION MAKING; DECISION SUPPORT SYSTEMS; DECISION THEORY; INTERNET; MINING; REFINING;

INTRUSION DETECTION;

EID: 67349095739     PISSN: 09574174     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.eswa.2009.02.097     Document Type: Article

References (27)

1. Agrwal, R., & Srikant, R. (1995). Mining sequential patterns. In Proceedings of the 11th international conference on data engineering (pp. 3-14).
2. Alharby, A., & Imai, H. (2005). IDS false alarm reduction using continuous and discontinuous patterns. In Proceedings of ACNS 2005 (pp. 192-205).
3. Basic Analysis and Security Engine (BASE) (2005). URL: .
4. Bridis, T. (2002). Powerful attack cripples majority of key Internet computers. In Yahoo! news.
5. Cabrera, J. B. D., Lewis, L., Qin, X., Lee, W., Prasanth, R. K., Ravichandran, B., & Mehra, R. K. (2001). Proactive detection of distributed denial of service attacks using MIB traffic variables-A feasibility study. In Proceedings of the seventh IFIP/IEEE international symposium on integrated network management (pp. 609-622).
6. CERT Coordination Center (2006). URL: .
7. Chen, J., DeWitt, D. J., Tian, F., & Wang, Y. (2000). NiagaraCQ: A scalable continuous query system for internet databases. In Proceedings of ACM SIGMOD 2000 (pp. 379-390).
8. Debar, H., & Wespi, A. (2001). The intrusion-detection console correlation mechanism. In Proceedings of the fourth international symposium on recent advances in intrusion detection (RAID 2001) (pp. 235-240).
9. DRAMA Expert System, CORETECH Inc. (2006). URL: .
10. Erhard, W., Gutzmann, M. M., & Libati, H. M. (2000). Network traffic analysis and security monitoring UniMon. In Proceedings of the IEEE conference on high performance switching and routing (pp. 439-46).
11. Goldman, R. P., Heimerdinger, W., Harp, S. A., Geib, C. W., Thomas, V., & Carter, R. L. (2001). Information modeling for intrusion report aggregation. In DARPA information survivability conference and exposition II (pp. 115-137).
12. Hsin, W. Y. (2005). A study of alert-based collaborative defense. Master thesis, National Chiao Tung University, Hsinchu, Taiwan, ROC.
13. Julisch, K., & Dacier, M. (2002). Mining intrusion detection alarms for actionable knowledge. In Proceedings of the eighth ACM international conference on knowledge discovery and data mining (pp. 366-375).
14. Lee K., Kim J., Kwon K.H., Han Y.G., and Kim S. DDoS attack detection method using cluster analysis. Expert Systems with Applications 34 (2008) 1659-1665
15. Lin S.C., and Tseng S.S. Constructing detection knowledge for DDoS intrusion tolerance. Expert Systems with Applications 27 (2004) 379-390
16. Madden, S. R., Shah, M. A., & Hellerstein, J. M. (2002). Continuously adaptive continuous queries over streams. In Proceedings of ACM SIGMOD 2002 (pp. 49-60).
17. Morin, B., & Debar, H. (2003). Correlation of intrusion symptoms: An application of chronicles. In Proceedings of the sixth symposium on recent advances in intrusion detection (RAID 2003) (pp. 92-112).
18. Ning, P., Cui, Y., & Reeves, D. S. (2002). Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the nineth ACM conference on computer and communications security (pp. 245-154).
19. Ning, P., Xu, D., Healey, C. G., & Amant, R. A. St. (2004). Building attack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th annual network and distributed system security symposium (NDSS'04).
20. Park, K., & Lee, H. (2001). On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the 2001 conference on applications, technologies, architectures, and protocols for computer communications (pp. 15-26).
21. Porras, P. A., Fong, M. W., & Valdes, A. (2002). A mission-impact-based approach to INFOSEC alarm correlation. In Lecture notes in computer science, proceedings recent advances in intrusion detection (pp. 95-114).
22. Sabhnani, M., & Serpen, G. (2003). Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection. In Proceedings of the international conference on machine learning; models, technologies and applications (MLMTA'03) (pp. 209-215).
23. Shin, M. S., Kim, E. H., & Ryu, K. H. (2004). False alarm classification model for network-based intrusion detection system. In Proceedings of IDEAL 2004 (pp. 259-265).
24. Snort, Intrusion Detection/Prevention System (2006). URL: .
25. Symantec Corp. (2006). Symantec internet security threat report: Trends for July 05-Decamber 05. In Vol. IX. URL: .
26. Valdes, A., & Skinner, K. (2001). Probabilistic alert correlation. In Proceedings of the fourth international symposium on recent advances in intrusion detection (pp. 54-68).
27. Xu, J., & Lee, W. (2003). Sustaining availability of web services under distributed denial of service attacks. In IEEE transactions on computers (Vol. 52(2)) (pp. 195-208).