Attack Pattern Mining Algorithm Based on Fuzzy Clustering and Sequence Pattern from Security Log

  • Jianyi LiuEmail author
  • Keyi Li
  • Yang Li
  • Ru Zhang
  • Xi Duan
Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 110)


This paper proposed an attack pattern mining algorithm based on improved fuzzy clustering and sequence pattern mining. The method combines the advantage of fuzzy clustering to describe the similarity between security logs and the advantage of sequence pattern to describe the logical relationship in attacking steps. The experimental results show that the algorithm can effectively mine the attack pattern, improve the accuracy and generate more effective attack pattern.


Attack pattern Security logs Sequence pattern mining Fuzzy clustering PrefixSpan 



This work was supported by The National Key Research and Development Program of China under Grant 2016YFB0800903, the NSF of China (U1636112, U1636212).


  1. 1.
    National Computer Network Emergency Response Coordination Center: 2015 China Internet Security Report. People’s Posts and Telecommunications Press, Beijing (2015)Google Scholar
  2. 2.
    Kokila, R.T., Thamarai Selvi, S., Govindarajan, K.: DDoS detection and analysis in SDN-based environment using support vector machine classifier. In: 2014 Sixth International Conference on Advanced Computing (ICoAC) pp. 205–210 (2014)Google Scholar
  3. 3.
    Templeton Steven, J., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38 (2000)Google Scholar
  4. 4.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alert. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254 (2002)Google Scholar
  5. 5.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: Proceedings of the 17th Annual Computer Security Applications Conference, pp. 22–31 (2001)Google Scholar
  6. 6.
    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215 (2002)Google Scholar
  7. 7.
    Cuppens, F., Autrel, F., Miege, A., et al.: Correlation in an intrusion detection process. In: Proceedings of the SECI02 Workshop, pp. 153–171 (2002)Google Scholar
  8. 8.
    Qin, X., Lee, W.: Causal discovery-based alert correlation. In: Proceedings of the 21st Annual Computer Security Application Conference, pp. 33–40 (2005) Google Scholar
  9. 9.
    Qin, X, Lee, W.: Discovering novel attack strategies from INFOSEC alerts. In: Proceedings of the 9th European Symposium on Research in Computer Security, pp. 439–456 (2004)CrossRefGoogle Scholar
  10. 10.
    Zhu, B., Ghorbani, A.A.: Alert correlation for extracting attack strategies. Int. J. Netw. Secur. 3(3) (2006)Google Scholar
  11. 11.
    Kavousi, F., Akbari, B.: A Bayesian network-based approach for learning attack strategies from intrusion alerts. Secur. Commun. Netw. 7(7), 833–853 (2014)CrossRefGoogle Scholar
  12. 12.
    Zhang, A.F., Li, Z.T., Li, D, Wang, L.: Discovering novel multistage attack patterns in alert streams. In: 2007 International Conference on Networking, Architecture, and Storage (NAS 2007), pp. 115–121 (2007)Google Scholar
  13. 13.
    Hellerstein, J.L., Ma, S.: Mining event data for actionable patterns. In: International Computer Measurement Group Conference, pp. 307–318 (2000)Google Scholar
  14. 14.
    Treinen, J.J., Thurimella, R.: A framework for the application of association rule mining in large intrusion detection infrastructures. Recent. Adv. Intrusion Detect. 23–38 (2006)Google Scholar
  15. 15.
    Theodoridis, S., Koutroumbas, K., Ridis, T., et al.: Pattern Recognition, 2nd edn. Electronic Industry Press, Beijing (2004)Google Scholar
  16. 16.
    Lin, Z., Shi-tong, W., Zhao-hong, D.: Generalized study of FCM clustering algorithm based on improved fuzzy partition. J. Comput. Res. Dev. 5, 814–822 (2009)Google Scholar
  17. 17.
    MIT Lincoln Laboratory DDoS 1.0 Intrusion Detection Dataset [DB/OL].
  18. 18.
    DDo S 2.0.2 Intrusion Detection Dataset Host [EB/OL].

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Jianyi Liu
    • 1
    Email author
  • Keyi Li
    • 1
  • Yang Li
    • 1
  • Ru Zhang
    • 1
  • Xi Duan
    • 1
  1. 1.Information Security Center, Beijing University of Posts and TelecommunicationsBeijingChina

Personalised recommendations