Intelligent alert clustering model for network intrusion analysis

International Journal of Advances in Soft Computing and its Applications

Volumn 1, Issue 1, 2009, Pages 33-48

  Siraj, Maheyzah Md ^a   Maarof, Mohd Aizaini ^a   Hashim, Siti Zaiton Mohd ^a  

^a UNIVERSITI TEKNOLOGI MALAYSIA   (Malaysia)

Author keywords

Alert clustering; Alert correlation; Expectation maximization; Principal component analysis; Unsupervised learning

Indexed keywords

EID: 77958541754     PISSN: 20748523     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Article

References (25)

1. A. Siraj, and R. B. Vaughn, "Multi-level alert clustering for intrusion detection sensor data," Proc. of the North American Fuzzy Information Processing Society, (2005), pp. 748-753.
2. K. Julisch, and M. Dacier, "Mining intrusion detection alarms for actionable knowledge," Proc. of the 8th ACM Int. Conf. on Knowledge Discovery and Data Mining, (2002), pp. 366-375.
3. H. Debar, and A. Wespi, "Aggregation and correlation of intrusion detection alerts," Proc. of the 4th Int. Symp. on Recent Advances in Intrusion Detection, (2001), pp. 87-105.
4. R. Smith, N. Japkowicz, M. Dondo, and P. Mason, "Using unsupervised learning for network alert correlation," Springer-Verlag LNAI 5032, (2008), pp. 308-319.
5. O.M. Dain, and R. K. Cunningham, "Fusing a heterogeneous alert stream into scenarios," ACM Workshop on Data Mining for Security Applications, (2001), pp. 1-13.
6. F. Cuppens, and A. Miege, "Alert correlation in a cooperative intrusion detection framework," Proc. of the IEEE Symp. on Security and Privacy, (2002), pp. 202-215.
7. P. Kabiri, and A. A. Ghorbani, "A rule-based temporal Alert Correlation System," Int. J. of Network Security, Vol. 5, No. 1, (2007), pp. 66-72.
8. H. Debar, D. Curry, and B. Feinstein. (2007). The Intrusion Detection Message Exchange Format (IDMEF) [Online]. Available: ftp://ftp.rfceditor. org/in-notes/rfc4765.txt
9. I. T Jolliffe, Principal Component Analysis (3rd ed.). New York: Springer Verlag, (2002).
10. E. Oja, "Neural networks, principal components, and subspaces," Int. Journal of Neural Systems, Vol. 1, No. 1, (1989), pp. 61-68.
11. J. X. Wang, Z. Y. Wang, and K. Dai, "Intrusion alert analysis based on PCA and the LVQ neural network," Proc. of the13th Int. Conf. on Neural Information Processing, (2006), Vol. 4234, pp. 217-224.
12. N. Japkowicz, and R. Smith, "Autocorrel II: Unsupervised network event correlation using neural networks," Contractor Report, CR2005-155, DRDC Ottawa, (2005).
13. T. Kohonen, Self-Organizing Maps: Series in Information Sciences (3rd ext. ed.). Berlin: Springer, (2001).
14. J. B. MacQueen, "Some methods for classification and analysis of multivariate observations," Proc. of 5th Berkeley Symposium on Mathematical Statistics and Probability, Berkeley: University of California Press, Vol. 1, (1967), pp. 281-297.
15. J. C. Dunn, "A fuzzy relative of the ISODATA process and its use in detecting compact well-separated clusters," J. of Cybernetics, Vol. 3, (1973), pp. 32-57.
16. J. C. Bezdek, Pattern Recognition with Fuzzy Objective Function Algorithms, New York: Plenum Press, (1981).
17. A.P. Dempster, N.M. Laird, and D.B. Rubin, "Maximum likelihood from Incoming data via the EM algorithm," J. Royal Stat. Soc., Series B, Vol. 39, No. 1, (1977), pp. 1-36.
18. C. B. Do, and S. Batzoglou, "What is the Expectation Maximization algorithm?," Nature Biotechnology, Vol. 26, (2008), pp. 897-899.
19. RealSecure Signatures Reference Guide. Internet Security Systems [Online]. Available: http://xforce.iss.net
20. T. Pietraszek, Alert Classification to Reduce False Positives in Intrusion Detection. PhD Thesis. Germany: Albert-Ludwigs-Universiẗat Freiburg im Breisgau, (2006).
21. MIT Lincoln Lab. (2000). DARPA 2000 Intrusion Detection Evaluation Datasets [Online]. Available: http://ideval.ll.mit.edu/2000index.html
22. Internet Security Systems. RealSecure Network 10/100 [Online]. Available: http://www.iss.net/products_services/enterprise_protection/rsnetwork/sensor. php
23. P. Ning. (2002). TIAA: A Toolkit for Intrusion Alert Analysis [Online]. Available: http://discovery.csc.ncsu.edu/software/correlator
24. The MathWorks. MATLAB: The Languange of Technical Computing [Online]. Available: http://www.mathworks.com
25. A. Faour, P. Leray, and B. Eter, "Automated filtering of network intrusion detection alerts," Proc. 1st Joint Conf. on Security in Network Architectures and Security of Information Systems, (2006), pp. 277-291.