Abstract
This chapter discusses the use of off-line analysis techniques to help network security analysts at the ACME Corporation review network alert data efficiently. Aggregation is used to summarize network events by source Internet Protocol (IP) address and period of activity. These aggregate records are referred to as meta-session records. Anomaly detection is then used to identify obvious network probes using aggregate features of the meta-session records. Cluster analysis is used for further exploration of interesting groups of meta-session records.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
S. Axelsson, Intrusion Detection Systems: A Taxonomy and Survey. Technical Report No 99-15, Chalmers University of Technology: Department of Computer Engineering, 2000.
D. Barbara, J. Couto, S. Jajodia, L. Popyack, and N. Wu, ADAM: Detecting Intrusion by Data Mining, Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, 2001.
J. Campione, et al., SANS/FBI Top 20 List: The Twenty Most Critical Internet Security Vulnerabilities, Version 3.23, May 2003. <http://www.sans.org/top20/>
C. Fraley and A. Raftery, MCLUST: Software for Model-Based Clustering, Discriminant Analysis and Density Estimation, Technical Report No 415, University of Washington: Department of Statistics, 2002.
S. Jajodia and D. Barbara, Applications of Data Mining in Computer Security (Advances in Information Security, Volume 6), Kluwer Academic Publishers, 2002.
L. Kaufman and P. Rousseeuw, Finding Groups in Data: An Introduction to Cluster Analysis, John Wiley & Sons, 1990.
A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, Proceedings of the Third SIAM Conference on Data Mining, 2003.
W. Lee, S. Stolfo, and K. Mok, A Data Mining Framework for Building Intrusion Detection Models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999.
R. Lippmann, J. Haines, D. Fried, J. Korba, and K. Das, The 1999 DARPA Off-Line Intrusion Detection Evaluation, Computer Networks, 579–595, October 2000.
SANS Institute, TCP/IP and tepdump Pocket Reference Guide, June 2002, http://www.sans.org/resources/tcpip.pdf.
R. Thomas, Bogon List, Version 2.0, www.cymru.com/Documents/bogon-list.html, April 2003.
W. Venables and B. Ripley, Modern Applied Statistics with S, Fourth edition, Springer Verlag, 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer Science+Business Media, Inc.
About this chapter
Cite this chapter
DeBarr, D. (2005). Understanding Network Security Data: Using Aggregation, Anomaly Detection, and Cluster Analysis for Summarization. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds) Managing Cyber Threats. Massive Computing, vol 5. Springer, Boston, MA. https://doi.org/10.1007/0-387-24230-9_5
Download citation
DOI: https://doi.org/10.1007/0-387-24230-9_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24226-2
Online ISBN: 978-0-387-24230-9
eBook Packages: Computer ScienceComputer Science (R0)