Advertisement

A Comprehensive Approach to Detect Unknown Attacks Via Intrusion Detection Alerts

  • Jungsuk Song
  • Hayato Ohba
  • Hiroki Takakura
  • Yasuo Okabe
  • Kenji Ohira
  • Yongjin Kwon
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4846)

Abstract

Intrusion detection system(IDS) has played an important role as a device to defend our networks from cyber attacks. However, since it still suffers from detecting an unknown attack, i.e., 0-day attack, the ultimate challenge in intrusion detection field is how we can exactly identify such an attack. This paper presents a novel approach that is quite different from the traditional detection models based on raw traffic data. The proposed method can extract unknown activities from IDS alerts by applying data mining technique. We evaluated our method over the log data of IDS that is deployed in Kyoto University, and our experimental results show that it can extract unknown(or under development) attacks from IDS alerts by assigning a score to them that reflects how anomalous they are, and visualizing the scored alerts.

Keywords

Training Data Intrusion Detection Intrusion Detection System Association Rule Mining Representative Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering, SE 13, 222–232 (1987)CrossRefGoogle Scholar
  2. 2.
  3. 3.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  4. 4.
    Julisch, K.: Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)CrossRefGoogle Scholar
  5. 5.
    Zurutuza, U., Uribeetxeberria, R.: Intrusion Detection Alarm Correlation: A Survey. In: Proceedings of the IADAT International Conference on Telecommunications and Computer Networks (December 1-3, 2004)Google Scholar
  6. 6.
    Bass, T.: Intrusion detection systems and multisensor data fusion. In: Communications of the ACM, pp. 99–105. ACM Press, New York (2000)Google Scholar
  7. 7.
    Giacinto, G., Perdisci, R., Roli, F.: Alarm Clustering for Intrusion Detection Systems in Computer Networks. In: Perner, P., Imiya, A. (eds.) MLDM 2005. LNCS (LNAI), vol. 3587, pp. 184–193. Springer, Heidelberg (2005)Google Scholar
  8. 8.
    Treinen, J.J., Thurimella, R.: A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Symantec Network Security 7100 SeriesGoogle Scholar
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
    Linde, Y., Buzo, A., Gray, R.M.: An Algorithm for Vector Quantizer Design. IEEE Trans. on communications 28(1), 84–95 (1980)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Jungsuk Song
    • 1
  • Hayato Ohba
    • 1
  • Hiroki Takakura
    • 2
  • Yasuo Okabe
    • 2
  • Kenji Ohira
    • 1
  • Yongjin Kwon
    • 3
  1. 1.Graduate School of Informatics, Kyoto University 
  2. 2.Academic Center for Computing and Media Studies, Kyoto University 
  3. 3.Information and Telecom. Eng., Korea Aerospace University 

Personalised recommendations