Mining intrusion detection alarms for actionable knowledge

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Mining intrusion detection alarms for actionable knowledge

Full text

Pdf (1.05 MB)

Source

International Conference on Knowledge Discovery and Data Mining archive
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining table of contents

Edmonton, Alberta, Canada

SESSION: Industry track papers table of contents

Pages: 366 - 375

Year of Publication: 2002

ISBN:1-58113-567-X

Authors

Klaus Julisch	IBM Research
Marc Dacier	IBM Research

Sponsors

SIGKDD: ACM Special Interest Group on Knowledge Discovery in Data
SIGMOD: ACM Special Interest Group on Management of Data
: AAAI

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 13, Downloads (12 Months): 83, Citation Count: 19

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/775047.775101 What is a DOI?

ABSTRACT

In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. State of the Practice of Intrusion Detection Technologies. Technical report, Carnegie Mellon University, January 2000. http://www.cert.org/archive/pdf/99tr028.pdf.
	2	Rebecca Gurley Bace, Intrusion detection, Macmillan Publishing Co., Inc., Indianapolis, IN, 1999
	3	D. Barbará, J. Couto, S. Jajodia, L. Popyack, and N. Wu. ADAM: Detecting Intrusions by Data Mining. In IEEE Workshop on Information Assurance and Security, 2001.
	4	Daniel Barbara , Sushil Jajodia, Applications of Data Mining in Computer Security, Kluwer Academic Publishers, Norwell, MA, 2002
	5	D. Barbará, N. Wu, and S. Jajodia. Detecting Novel Network Intrusions Using Bayes Estimators. In First SIAM Int'l Conf. on Data Mining (SDM'01), 2001.
	6	Steven M. Bellovin, Packets found on an internet, ACM SIGCOMM Computer Communication Review, v.23 n.3, p.26-31, July 1993 [doi>10.1145/174194.174199]
	7	Gilles Bisson, Conceptual clustering in a first order logic representation, Proceedings of the 10th European conference on Artificial intelligence, p.458-462, August 1992, Vienna, Austria
	8	E. Bloedorn, B. Hill, A. Christiansen, C. Skorupka, L. Talboot, and J. Tivel. Data Mining for Improving Intrusion Detection, 2000. http://www.mitre.org/support/papers/tech_papers99_00/.
	9	J. Broderick -- Editor. IBM Outsourced Solution, 1998. http://www.infoworld.com/cgi-bin/displayTC.pl?/980504sb3-ibm.htm.
	10	P. Chan and S. Stolfo. Toward Scalable Learning with Non-Uniform Class and Cost Distributions: A Case Study in Credit Card Fraud Detection. In 4th Int'l Conf. on Knowledge Discovery and Data Mining, pages 164--168, 1998.
	11	C. Clifton and G. Gengo. Developing Custom Intrusion Detection Filters Using Data Mining. In Military Communications Int'l Symposium (MILCOM2000), October 2000.
	12	O. Dain and R. K. Cunningham. Fusing Heterogeneous Alert Streams into Scenarios. In Barbará and Jajodia {4}.
	13	H. Debar, M. Dacier, and A. Wespi. A Revised Taxonomy for Intrusion Detection Systems. Annales des Télécommunications, 55(7--8):361--378, 2000.
	14	Hervé Debar , Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.85-103, October 10-12, 2001
	15	Tom Fawcett , Foster Provost, Adaptive Fraud Detection, Data Mining and Knowledge Discovery, v.1 n.3, p.291-316, 1997 [doi>10.1023/A:1009700419189]
	16	Douglas H. Fisher, Knowledge Acquisition Via Incremental Conceptual Clustering, Machine Learning, v.2 n.2, p.139-172, September 1987 [doi>10.1023/A:1022852608280]
	17	Venkatesh Ganti , Johannes Gehrke , Raghu Ramakrishnan, CACTUS—clustering categorical data using summaries, Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, p.73-83, August 15-18, 1999, San Diego, California, United States [doi>10.1145/312129.312201]
	18	M. Carofalakis and R. Rastogi. Data Mining Meets Network Management: The Nemesis Project. In ACM SIGMOD Int'l Workshop on Research Issues in Data Mining and Knowledge Discovery, May 2001.
	19	A. Gordon. Classification. Chapman and Hall, 1999
	20	Sudipto Guha , Rajeev Rastogi , Kyuseok Shim, ROCK: a robust clustering algorithm for categorical attributes, Information Systems, v.25 n.5, p.345-366, July 2000 [doi>10.1016/S0306-4379(00)00022-3]
	21	J. Han , Y. Cai , N. Cercone, Data-Driven Discovery of Quantitative Rules in Relational Databases, IEEE Transactions on Knowledge and Data Engineering, v.5 n.1, p.29-40, February 1993 [doi>10.1109/69.204089]
	22	J. Han and Y. Fu. Dynamic Generation and Refinement of Concept Hierarchies for Knowledge Discovery in Databases. In Workshop on Knowledge Discovery in Databases, pages 157--168, 1994.
	23	Jiawei Han , Yongjian Fu, Attribute-oriented induction in data mining, Advances in knowledge discovery and data mining, American Association for Artificial Intelligence, Menlo Park, CA, 1996
	24	P. Hansen, B. Jaumard, and N. Mladenovic. How to Choose K Entries Among N. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 19:105--116, 1995.
	25	O. Heinonen and H. Mannila. Attribute-Oriented Induction and Conceptual Clustering. Technical Report C-1996-2, University of Helsinki, 1996.
	26	J. L. Hellerstein and S. Ma. Mining Event Data for Actionable Patterns. In The Computer Measurement Group, 2000.
	27	Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995 [doi>10.1109/32.372146]
	28	A. K. Jain , M. N. Murty , P. J. Flynn, Data clustering: a review, ACM Computing Surveys (CSUR), v.31 n.3, p.264-323, Sept. 1999 [doi>10.1145/331499.331504]
	29	H. S. Javitz and A. Valdes. The SRI IDES Statistical Anomaly Detector. In IEEE Symposium on Security and Privacy, Oakland, CA. SRI International, May 1991.
	30	K. Julisch, Mining Alarm Clusters to Improve Alarm Handling Efficiency, Proceedings of the 17th Annual Computer Security Applications Conference, p.12, December 10-14, 2001
	31	M. Klemettinen. A Knowledge Discovery Methodology for Telecommunication Network Alarm Data. PhD thesis, University of Helsinky (Finland), 1999.
	32	Wenke Lee , Salvatore J. Stolfo, A framework for constructing features and models for intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.227-261, Nov. 2000 [doi>10.1145/382912.382914]
	33	Stefanos Manganaris , Marvin Christensen , Dan Zerkle , Keith Hermiz, A data mining analysis of RTID alarms, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.571-577, Oct. 2000 [doi>10.1016/S1389-1286(00)00138-9]
	34	H. Mannila and H. Toivonen. Discovering Generalized Episodes Using Minimal Occurences. In 2nd Int'l Conf. on Knowledge Discovery and Data Mining, pages 146--151, 1996.
	35	Heikki Mannila , Hannu Toivonen , A. Inkeri Verkamo, Discovery of Frequent Episodes in Event Sequences, Data Mining and Knowledge Discovery, v.1 n.3, p.259-289, 1997 [doi>10.1023/A:1009748302351]
	36	John McHugh, The 1998 Lincoln Laboratory IDS Evaluation, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.145-161, October 02-04, 2000
	37	R. S. Michalski and R. E. Stepp. Automated Construction of Classifications: Conceptual Clustering Versus Numerical Taxonomy. IEEE Transactions on Pattern Analysis and Machine Intelligence, 5(4):396--410, 1983.
	38	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	39	Leonard Pitt , Robert E. Reinke, Criteria for Polynomial-Time (Conceptual) Clustering, Machine Learning, v.2 n.4, p.371-396, April 1988 [doi>10.1023/A:1022825229661]
	40	S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical Automated Detection of Stealthy Portscans. In ACM Computer and Communications Security IDS Workshop, pages 1--7, 2000.
	41	Luis Talavera , Javier Béjar, Generality-Based Conceptual Clustering with Probabilistic Concepts, IEEE Transactions on Pattern Analysis and Machine Intelligence, v.23 n.2, p.196-206, February 2001 [doi>10.1109/34.908969]
	42	Alfonso Valdes , Keith Skinner, Probabilistic Alert Correlation, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.54-68, October 10-12, 2001

CITED BY 19

	Andy Podgurski , David Leon , Patrick Francis , Wes Masri , Melinda Minch , Jiayang Sun , Bin Wang, Automated support for classifying software failure reports, Proceedings of the 25th International Conference on Software Engineering, May 03-10, 2003, Portland, Oregon
	Jeffrey B. Colombe , Gregory Stephens, Statistical profiling and visualization for detection of malicious insider attacks on computer networks, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Klaus Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.443-471, November 2003
	Peng Ning , Dingbang Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.7 n.4, p.591-627, November 2004
	John R. Goodall , Wayne G. Lutters , Anita Komlodi, I know my network: collaboration and expertise in intrusion detection, Proceedings of the 2004 ACM conference on Computer supported cooperative work, November 06-10, 2004, Chicago, Illinois, USA
	John R. Goodall, Visualizing network traffic for intrusion detection, Proceedings of the 6th ACM conference on Designing Interactive systems, June 26-28, 2006, University Park, PA, USA
	Ido Green , Tzvi Raz , Moshe Zviran, Analysis of active intrusion prevention data for predicting hostile activity in computer networks, Communications of the ACM, v.50 n.4, p.63-68, April 2007
	Ningning Wu , Jing Zhang, Factor-analysis based anomaly detection and clustering, Decision Support Systems, v.42 n.1, p.375-389, October 2006
	Jouni Viinikka , Hervé Debar , Ludovic Mé , Renaud Séguier, Time series modeling for IDS alert management, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
	Dong Yu , Deborah Frincke, Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.3, p.632-654, February, 2007
	Ramona Su Thompson , Esa M. Rantanen , William Yurcik , Brian P. Bailey, Command line or pretty lines?: comparing textual and visual interfaces for intrusion detection, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA
	Chi-Ho Tsang , Sam Kwong , Hanli Wang, Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection, Pattern Recognition, v.40 n.9, p.2373-2391, September, 2007
	Andrew Turner , Hyong. S. Kim , Tina Wong, Automatic discovery of relationships across multiple network layers, Proceedings of the 2007 SIGCOMM workshop on Internet network management, August 27-31, 2007, Kyoto, Japan
	Rodrigo Werlinger , Kirstie Hawkey , Kasia Muldner , Pooya Jaferian , Konstantin Beznosov, The challenges of using an intrusion detection system: is it worth the effort?, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania
	Federico Maggi , Matteo Matteucci , Stefano Zanero, Reducing false positives in anomaly detectors through fuzzy alert aggregation, Information Fusion, v.10 n.4, p.300-311, October, 2009
	Jouni Viinikka , Hervé Debar , Ludovic Mé , Anssi Lehikoinen , Mika Tarvainen, Processing intrusion detection alert aggregates with time series modeling, Information Fusion, v.10 n.4, p.312-324, October, 2009
	Nien-Yi Jan , Shun-Chieh Lin , Shian-Shyong Tseng , Nancy P. Lin, A decision support system for constructing an alert classification model, Expert Systems with Applications: An International Journal, v.36 n.8, p.11145-11155, October, 2009
	Xiao-yan Yang , Kun Gao , Wei-gang Zhang, Study of intrusion detection system based on improved BP neural networks, First International Workshop on Artificial Intelligence in Grid Computing, p.1-4, August 14-17, 2007, Vancouver, Canada
	Nuno F. Neves , Miguel Correia , Paulo Verissimo, Solving Vector Consensus with a Wormhole, IEEE Transactions on Parallel and Distributed Systems, v.16 n.12, p.1120-1131, December 2005