Abstract
The attribute oriented induction (AOI) is a kind of aggregation method. By generalizing the attributes of the alert, it creates several clusters that includes a set of alerts having similar or the same cause. However, if the attributes are excessively abstracted, the administrator does not identify the root cause of the attack. In addition, deciding time interval of clustering and deciding min_size are one of the most critical problems. In this paper, we describe about the over-generalization problem because of the unbalanced generalization hierarchy and discuss the solution of the problem. We also discuss problem to decide time interval and meaningful min_size, and propose reasonable method to solve these problems.
This study is supported by the National Security Research Institute in Korea and the Brain Korea 21 project in 2004.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (2000)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)
Han, J., Cai, Y.: Data-Driven Discovery of Quantitative Rules in Relational Databases. IEEE Transactions on Knowledge and Data Engineering 5(1), 29–40 (1993)
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2002)
Julisch, K.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 366–375 (2002)
Guan, Y., Ali, A.: Y-MEANS: A Clustering Method for Intrusion Detection. In: Canadian Conference on Electrical and Computer Engineering, pp. 1083–1086 (2003)
Hansen, P., Mladenovic, N.: J-means: a new local search heuristic for minimum sum-of-squares clustering. Pattern Recognition 34(2), 405–413 (2002)
DARPA data set, http://www.ll.mit.edu/IST/ideval/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, J., Lee, G., Seo, Jt., Park, Ek., Park, Cs., Kim, Dk. (2005). Y-AOI: Y-Means Based Attribute Oriented Induction Identifying Root Cause for IDSs. In: Wang, L., Jin, Y. (eds) Fuzzy Systems and Knowledge Discovery. FSKD 2005. Lecture Notes in Computer Science(), vol 3614. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11540007_25
Download citation
DOI: https://doi.org/10.1007/11540007_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28331-7
Online ISBN: 978-3-540-31828-6
eBook Packages: Computer ScienceComputer Science (R0)