한국정보과학회논문지:데이타베이스 (Journal of KIISE:Databases)

한국정보과학회 (Korean Institute of Information Scientists and Engineers)
권호 표지

데이타마이닝 기법을 이용한 경보데이타 분석기 구현

Implementation of Analyzer of the Alert Data using Data Mining

  • 신문선 (충북대학교 전자계산학과) ;
  • 김은희 (충북대학교 전자계산학) ;
  • 문호성 (가림정보기) ;
  • 류근호 (충북대학교 전기전자및컴퓨터공학) ;
  • 김기영 (한국전자통신연구원 네트워크정보보호연구본부)
  • 발행 : 2004.02.01
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

최근 네트워크 구성이 복잡해짐에 따라 정책기반의 네트워크 관리기술에 대한 필요성이 증가하고 있으며, 특히 네트워크 보안관리를 위한 새로운 패러다임으로 정책기반의 네트워크 관리 기술이 도입되고 있다. 보안정책 서버는 새로운 정책을 입력하거나 기존의 정책을 수정, 삭제하는 기능과 보안정책 결정 요구 발생시 정책결정을 수행하여야 하는데 이를 위해서는 보안정책 실행시스템에서 보내온 경보 메시지에 대한 분석 및 관리가 필요하다. 따라서 이 논문에서는 정책기반 네트워크 보안관리 프레임워크의 구조 중에서 보안정책 서버의 효율적인 보안정책 수립 및 수행을 지원하기 위한 경보데이타 분석기를 설계하고 구현한다. 경보 데이타 저장과 분석을 위해서 데이타베이스 스키마를 설계하고 저장된 경보데이타를 분석하는 모듈을 구현하며 경보데이타 마이닝 엔진을 구현하여 경보데이타를 효율적으로 분석하고 이를 통해 경보들의 새로운 유사패턴그룹이나 공격시퀀스를 유추하여 능동적인 보안정책관리를 지원할 수 있도록 한다.

As network systems are developed rapidly and network architectures are more complex than before, it needs to use PBNM(Policy-Based Network Management) in network system. Generally, architecture of the PBNM consists of two hierarchical layers: management layer and enforcement layer. A security policy server in the management layer should be able to generate new policy, delete, update the existing policy and decide the policy when security policy is requested. And the security policy server should be able to analyze and manage the alert messages received from Policy enforcement system in the enforcement layer for the available information. In this paper, we propose an alert analyzer using data mining. First, in the framework of the policy-based network security management, we design and implement an alert analyzes that analyzes alert data stored in DBMS. The alert analyzer is a helpful system to manage the fault users or hosts. Second, we implement a data mining system for analyzing alert data. The implemented mining system can support alert analyzer and the high level analyzer efficiently for the security policy management. Finally, the proposed system is evaluated with performance parameter, and is able to find out new alert sequences and similar alert patterns.

키워드

참고문헌

  1. IPHIGHWAY, Inc., Introduction to Policy-based Networking and Quality of Service
  2. B. Moore, E. Ellesson, J. Strassner, and A. Westerinen, Policy Core Information Model Version 1 Spec., IETF RFC3060, Feb. 2001
  3. D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne, Cooperative Intrusion Traceback and Response Architecture(CITRA), DISCEX01, Anaheim,California, June 2001 https://doi.org/10.1109/DISCEX.2001.932192
  4. S. M. Lewandowski, D. J. Van Hook, G. C. OLeary, J. W. Haines, and L. M. Rossey, SARA:Survivable Autonomic Response Architecture, DISCEX01, Anaheim, California, June 2001 https://doi.org/10.1109/DISCEX.2001.932194
  5. D. Anderson, T. Frivold, A. Valdes, 'Next-generation Intrusion Detection Expert System(NIDES),' Technical Report SRI-CLS-95-07, May 1995
  6. R. Heady, G. Luger, A. Maccabe, and M. Servilla, 'The Architecture of a Network Level Intrusion Detection System,' Technical report, University of New Mexico, Department of computer Science, Aug. 1990
  7. D. Schnackenberg, K. Djahandari, and D. Sterne, Infrastructure for Intrusion Detection and Response, Proceedings of the DARPA Information Survivability Conference and Exposition, SC, Jan. 2000 https://doi.org/10.1109/DISCEX.2000.821505
  8. W. Lee, W. Fan, 'Mining System Audit Data: Opportunities and Challenges,' College of Computing Georgia Institute of Technology Atlanta, GA 30332-0280, IBM T.J. Watson Research Center Hawthome, NY10532.2000 https://doi.org/10.1145/604264.604270
  9. W. Lee, S. J. Stolfo, K. W. Mok, 'A Data Mining Framework for Building Intrusion Detection Models,' 2001 https://doi.org/10.1109/SECPRI.1999.766909
  10. W. Lee, S. J. Stolfo, 'Data Mining Approaches for Intrusion Detection,' Columbia University, Computer Science Department, 1998
  11. H. Debar and A. Wespi, 'Aggregation and Correlation of Intrusion-Detection Alerts,' In Recent Advances in Intrusion Detection, number 2212 in Lecture Notes in Computer Science, pages 85-103, 2001
  12. M. S. Shin, H. S. Moon, K. H. Ryu, J. O. Kim and K.Y. Kim, 'Applying Data Mining Techniques to Analyze Alert Data,' APWeb2003, Xi'an,China, Apr. 2003
  13. A. Valdes and K. Skinner, 'Probabilistic Alert Correlation', Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001
  14. S. Staniford, J.A.Hoaglandl, and J.M. McAlerney, 'Practical Automated Detection of Stealthy Portscans,' In ACM Computer and Communications Security IDS Workshop, pages 1-7, 2000
  15. O. Dain and R.K.Cunningham, 'Fusing a Heterogeneous Alert Stream into Scenarios,' In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 113-,Nov. 2001
  16. E. Lupu and M. Sloman, Conflicts in Policy-based Distributed Systems Management, IEEE Transactions on Software Engineering, Vol. 25, No. 6, Nov. 1999 https://doi.org/10.1109/32.824414
  17. A. Westerinen, J. Schnizlein, J. Strassner, M. Scherling, B. Quinn, S. Herzog, A. Huynh, M. Carlson, J. Perry, and S. Waldbusser, Terminology for Policy-Based Management, IETF, July 2001
  18. H. Jiawei and K. Michelle, 'Data Mining: Concepts and Techniques,' Morgan Kaufmann, 2000
  19. P. Ning and Y. Cui, 'An Intrusion Alert Correlator based on Prerequisites of Intrusions,' Technical Report TR-2002-01, Department of Computer Science, North Carolina State Univ., Jan 2002
  20. Sudipto Guha, Rajeev Rastogi, and Kyuseok Shim, 'CURE: An Efficient Clustering Algorithm for Large Databases,' In Proceedings of the International Conference on Management of Data(SIGMOD), Vol. 27(2), Seattle,WA,USA, USA, 14, ACM Press, Jun. 1998 https://doi.org/10.1145/276304.276312
  21. KDD99Cup, ttp://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 1999
  22. Lincoln Lab MIT, DARPA 2000 Intrusion Detection Evaluation Datasets, http://ideval.II.mit.edu/2000
  23. H. S. Moon, M. S. Shin, K. H. Ryu and J. O. Kim 'Implementation of Security Policy Server's Alert Analyzer,' In Proceedings of the International Conference on Computer and Information Science, pages 142-147, Seoul, Korea, Aug. 2002
  24. M. S. Shin, E. H. Kim, H. S. Moon, K. H. Ryu and K. Y. Kim, 'Data Mining Methods for Alert Correlation Analysis,' Submitted for publication, International Journal of Computer and Information Science, USA, June, 2003
  25. 김은희, 신문선, 문호성, 류근호, 김기영 '감사데이타 분석 마이너 설계 및 구현', 정보과학회 춘계학술발표, 2002년 4월