Skip to main content
SpringerLink
Log in

Online Mining of Attack Models in IDS Alerts from Network Backbone by a Two-Stage Clustering Method

  • Conference paper
Cyberspace Safety and Security (CSS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8300))

Included in the following conference series:

Abstract

There is little work has been done to mine attack models online in IDS alerts from the network backbone. The contributions of this paper are three-fold. Firstly, we put forward a software-pipeline online attack models mining framework suited with alert clustering mining methods. Secondly, we propose an online alert reduction method and improve two-stage clustering method. Thirdly, we propose an approach to adjust parameters used in the framework on the fly. The experiment shows that the data feature is stable in sequence length to apply the parameters self-adjustment algorithm, and parameters self-adjustment works well under the online mining framework. The online mining attack models is efficient compare to offline mining method, and generated attack models have convincing logic relation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing 1, 146–169 (2004)

    Article  Google Scholar 

  2. Michel, C., Me, L.: ADELE: An attack description language for knowledge-based intrusion detection. In: Trusted Information: The New Decade Challenge, pp. 353–368. Kluwer Academic Publishers, Norwell (2001)

    Chapter  Google Scholar 

  3. Steven, T.E., Giovanni, V., Richard, A.K.: STATL: an attack language for state-based intrusion detection. J. Comput. Secur. 10, 71–103 (2002)

    Article  Google Scholar 

  4. Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  5. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 245–254. ACM, Washington (2002)

    Google Scholar 

  6. Porras, P.A., Fong, M.W., Valdes, A.: A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 95–114. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  7. Levera, J., Barán, B., Grossman, R.L.: Experimental studies using median polish procedure to reduce alarm rates in data cubes of intrusion data. In: Chen, H., Moore, R., Zeng, D.D., Leavitt, J. (eds.) ISI 2004. LNCS, vol. 3073, pp. 457–466. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 162–182. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  9. Xiao, M., Xiao, D.: Alert verification based on attack classification in collaborative intrusion detection. In: Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, vol. 2, pp. 739–744. IEEE Computer Soc., Los Alamitos (2007)

    Chapter  Google Scholar 

  10. Xu, M., Wu, T., Tang, J.F.: An IDS Alert Fusion Approach Based on Happened Before Relation. In: Fourth International Conference on Wireless Communications, Networking and Mobile Computing, vol. 31, pp. 12604–12607. IEEE, New York (2008)

    Google Scholar 

  11. Xu, J., Li, A., Zhao, H., Yin, H.: A multi-step attack pattern discovery method based on graph mining. In: 2012 2nd International Conference on Computer Science and Network Technology (ICCSNT), pp. 376–380. IEEE, Changchun (2012)

    Google Scholar 

  12. Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. Siraj, A., Vaughn, R.B.: Multi-level alert clustering for intrusion detection sensor data. In: 2005 Annual Meeting of the North American Fuzzy Information Processing Society, pp. 748–753. IEEE, New York (2005)

    Google Scholar 

  14. Zhang, Y.G., Mao, S.S., Zhuang, X., Peng, X.: Using Cluster and Correlation to Construct Attack Scenarios. In: Proceedings of the 2008 International Conference on Cyberworlds, pp. 471–476. IEEE Computer Soc., Los Alamitos (2008)

    Chapter  Google Scholar 

  15. Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 124–140 (2009)

    Article  Google Scholar 

  16. Amann, B., Sommer, R., Sharma, A., Hall, S.: A lone wolf no more: supporting network intrusion detection with real-time intelligence. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 314–333. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  17. Srujana Reddy, V., Dileep Kumar, G.: Online and Offline Intrusion Alert Aggregation. International Journal of Computer Science & Communication Networks 2, 1776–1779 (2013)

    Google Scholar 

  18. Sadoddin, R., Ghorbani, A.A.: An incremental frequent structure mining framework for real-time alert correlation. Comput. Secur. 28, 153–173 (2009)

    Article  Google Scholar 

  19. Qiao, L., Zhang, B., Lai, Z., Su, J.: Mining of Attack Models in IDS Alerts from Network Backbone by a Two-stage Clustering Method. In: 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), pp. 1257–1263. IEEE Computer Soc., Shanghai (2012)

    Google Scholar 

  20. Chen, R., Qiao, L., Zhang, B., Gong, Z.: A Framework of Event-Driven Detection System for Intricate Network Threats. In: 2013 International Conference on Computer, Networks and Communication Engineering, pp. 556–560. Atlantis Press, Beijing (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Computer, National University of Defense Technology, Changsha, 410073, China

    Lin-Bo Qiao, Bo-Feng Zhang, Rui-Yuan Zhao & Jin-Shu Su

Authors
  1. Lin-Bo Qiao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bo-Feng Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rui-Yuan Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jin-Shu Su
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Science and Engineering, Central South University, 410083, Changsha, Hunan, P.R. China

    Guojun Wang

  2. Computer Science Department, Colorado State University, 1873 Campus Delivery, 80523-1873, Fort Collins, CO, USA

    Indrakshi Ray

  3. Chinese Academy of Sciences, Institute of Software, 100190, Beijing, P.R. China

    Dengguo Feng

  4. information Security Group, City University London, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Qiao, LB., Zhang, BF., Zhao, RY., Su, JS. (2013). Online Mining of Attack Models in IDS Alerts from Network Backbone by a Two-Stage Clustering Method. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-03584-0_9

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-03583-3

  • Online ISBN: 978-3-319-03584-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation