Applying Data Mining Techniques to Analyze Alert Data

  • Moonsun Shin
  • Hosung Moon
  • Keunho Ryu
  • KiYoung Kim
  • JinOh Kim
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2642)


Architecture of the policy-based network management has a hierarchical structure that consists of management layer and enforcement layer. A security policy server in the management layer should be able to generate new policy, delete, update the existing policy and decide the policy when security policy is requested. Therefore the security policy server must analyze and manage alert messages received from policy enforcement system. In this paper, we propose an alert analyzer with data mining engine. It is a helpful system to manage the fault users or hosts. The implemented mining system supports the alert analyzer and the high level analyzer efficiently for the security policy management.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for Intrusion Detection and Response”, Proceedings of the DARPA Information Survivability Conference, Jan. 2000Google Scholar
  2. 2.
    D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne, “Cooperative Intrusion Traceback and Response Architecture (CITRA)”, DISCEX’01, Anaheim, California, June. 2001.Google Scholar
  3. 3.
    S. M. Lewandowski, D. J. Van Hook, G. C. O’Leary, J. W. Haines, and L. M. Rossey, “SARA: Survivable Autonomic Response Architecture”, DISCEX’01, Anaheim, California, June. 2001.Google Scholar
  4. 4.
    IPHIGHWAY, Inc., “Introduction to Policy-based network and quality of service’,, 2002.
  5. 5.
    E. Lupu and M. Sloman, “Conflicts in Policy-based Distributed Systems Management”, IEEE Transactions on Software Engineering, Vol. 25, No. 6, Nov. 1999.Google Scholar
  6. 6.
    Sudipto Guha, Rajeev Rastogi, and Kyuseok Shim, “CURE: An Efficient Clustering Algorithm for Large Databases”, In Proceedings of SIGMOD, Vol. 27(2), pages 73–84, Jun. 1998.CrossRefGoogle Scholar
  7. 7.
    B. Moore, E. Ellesson, J. Strassner, and A. Westerinen, “Policy Core Information Model — Ver. 1 Spec.”, IETF RFC3060, Feb. 2001.Google Scholar
  8. 8.
    W. Lee, S. J. Stolfo, K. W. Mok “A Data Mining Framework for Building Intrusion Detection Models*”, Computer Science Department, Columbia UniversityGoogle Scholar
  9. 9.
    Valdes and K. Skinner, “Probabilistic alert correlation”, In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54–68, 2001.Google Scholar
  10. 10.
    H. Mannila, H. Toivonen and A. I. Verkamo, “Discovery of frequent episodes in event sequences”, Data Mining and Knowledge Discovery, 1(3), Nov. 1997.Google Scholar
  11. 11.
    O. Dain and R.K. Cunningham, “Fusing a heterogeneous alert stream into scenarios”, In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1–13, Nov. 2001.Google Scholar
  12. 12.
    Lincoln Lab MIT. DARPA 2000 intrusion detection evaluation datasets.Google Scholar
  13. 13.
  14. 14.
  15. 15.
    H. S. Moon, M.S. Shin, K. H. Ryu and J. O. Kim “Implementation of security policy server’s alert analyzer”, ICIS, Aug. 2002Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Moonsun Shin
    • 1
  • Hosung Moon
    • 1
  • Keunho Ryu
    • 1
  • KiYoung Kim
    • 2
  • JinOh Kim
    • 2
  1. 1.Database LaboratoryChungbuk National UniversityChungbukKorea
  2. 2.Network Security DepartmentElectronics and Telecommunications Research InstituteKorea

Personalised recommendations