Applying Data Mining Techniques to Analyze Alert Data
- 477 Downloads
Architecture of the policy-based network management has a hierarchical structure that consists of management layer and enforcement layer. A security policy server in the management layer should be able to generate new policy, delete, update the existing policy and decide the policy when security policy is requested. Therefore the security policy server must analyze and manage alert messages received from policy enforcement system. In this paper, we propose an alert analyzer with data mining engine. It is a helpful system to manage the fault users or hosts. The implemented mining system supports the alert analyzer and the high level analyzer efficiently for the security policy management.
Unable to display preview. Download preview PDF.
- 1.D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for Intrusion Detection and Response”, Proceedings of the DARPA Information Survivability Conference, Jan. 2000Google Scholar
- 2.D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne, “Cooperative Intrusion Traceback and Response Architecture (CITRA)”, DISCEX’01, Anaheim, California, June. 2001.Google Scholar
- 3.S. M. Lewandowski, D. J. Van Hook, G. C. O’Leary, J. W. Haines, and L. M. Rossey, “SARA: Survivable Autonomic Response Architecture”, DISCEX’01, Anaheim, California, June. 2001.Google Scholar
- 4.IPHIGHWAY, Inc., “Introduction to Policy-based network and quality of service’, http://www.iphighway.com, 2002.
- 5.E. Lupu and M. Sloman, “Conflicts in Policy-based Distributed Systems Management”, IEEE Transactions on Software Engineering, Vol. 25, No. 6, Nov. 1999.Google Scholar
- 7.B. Moore, E. Ellesson, J. Strassner, and A. Westerinen, “Policy Core Information Model — Ver. 1 Spec.”, IETF RFC3060, Feb. 2001.Google Scholar
- 8.W. Lee, S. J. Stolfo, K. W. Mok “A Data Mining Framework for Building Intrusion Detection Models*”, Computer Science Department, Columbia UniversityGoogle Scholar
- 9.Valdes and K. Skinner, “Probabilistic alert correlation”, In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54–68, 2001.Google Scholar
- 10.H. Mannila, H. Toivonen and A. I. Verkamo, “Discovery of frequent episodes in event sequences”, Data Mining and Knowledge Discovery, 1(3), Nov. 1997.Google Scholar
- 11.O. Dain and R.K. Cunningham, “Fusing a heterogeneous alert stream into scenarios”, In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 1–13, Nov. 2001.Google Scholar
- 12.Lincoln Lab MIT. DARPA 2000 intrusion detection evaluation datasets.Google Scholar
- 14.KDD99Cup, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 1999
- 15.H. S. Moon, M.S. Shin, K. H. Ryu and J. O. Kim “Implementation of security policy server’s alert analyzer”, ICIS, Aug. 2002Google Scholar