The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Design of false alarm analysis framework of intrusion detection system by using incremental mining method

점진적 마이닝 기법을 적용한 침입탐지 시스템의 오 경보 분석 프레임워크 설계

  • 김은희 (충북대학교 전자계산학과) ;
  • 류근호 (충북대학교 전기전자컴퓨터공학부)
  • Published : 2006.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

An intrusion detection system writes a lot of alarms against attack behaviors in real time. These alarms contain not only actual attack alarms, but also false alarms that are mistakes made by the intrusion detection system. False alarms are the main reason that reduces the efficiency of the intrusion detection system, and we propose framework for false alarms analysis in the paper. Also, we apply an incremental data mining method for pattern analysis of false alarms increasing continuously. The framework consists of GUI, DB Manager, Alert Preprocessor, and False Alarm Analyzer. We analyze the false alarms increasingly through the experiment of the proposed framework and show that false alarms are reduced by applying the analyzed false alarm rules in the intrusion detection system.

침입탐지 시스템은 실시간으로 공격행위에 대하여 다량의 경보를 기록한다. 이들 경보 중에는 실제 공격 경보뿐만 아니라 공격으로 잘못 탐지하여 발생된 오 경보들도 있다. 오 경보는 침입탐지 시스템의 효율성을 저하시키는 주요요인이 되므로, 이 논문에서는 오경보 분석을 위한 프레임워크를 제안한다. 또한 지속적으로 증가하는 오 경보를 분석하기 위해 점진적 데이터 마이닝 기법을 적용한다. 제안한 오경보 분석 프레임워크는 GUI, DB Manager, Alert Preprocessor, False Alarm Analyzer로 구성되어 있다. 우리는 실험을 통해 증가하는 오경보를 분석하고, 분석된 오경보 규칙을 침입탐지 시스템에 적용하여 오 경보가 감소됨을 확인하였다.

Keywords

References

  1. F. Cuppens, Miege, A, 'Alert correlation in a cooperative intrusion detection framework,' IEEE Symposium on Security and Privacy, pp.202-215, May., 2002 https://doi.org/10.1109/SECPRI.2002.1004372
  2. D, O, Cunningham, R, 'Fusing a heterogeneous alert stream into scenarios,' ACM Workshop on Data Mining for Security Applications, pp.1 -13, Nov., 2001
  3. Debar, H., Wespi, A, 'Aggregation and correlation of intrusion-detection alerts,' Recent Advances in Intrusion Detection, pp.85-103, Oct., 2001
  4. F. Cuppens, R. Ortalo, 'LAMBDA: A language to model a database for detection of attacks,' Recent Advances in Intrusion Detection, pp.197-216, Oct., 2000
  5. R. Heady, G. Luger, A. Maccabe, and M. Servilla, 'The Architecture of a Network Level Intrusion Detection System,' Technical report, Computer Science Department, University of New Mexico, Aug., 1990
  6. M. Joshi, R. Agarwal, V. Kumar, PNrule, 'Mining Needles in a Haystack Classifying Rare Classes via Two-Phase Rule Induction,' ACM SIGMOD Conference on Management of Data, pp.91 -102, May., 2001
  7. B. Morin, L. Me, H. Debar, and M. Ducasse. 'M2D2: A formal data model for IDS alert correlation,' International Symposium on Recent Advances in Intrusion Detection, pp.115-137, 2002
  8. K Julisch. 'Mining alarm clusters to improve alarm handling efficiency,' Annual Computer Security Applications Conference, pp.12-21, Dec., 2001
  9. P. Ning, Y. Cui, and D. S Reeves. 'Constructing attack scenarios through correlation of intrusion alerts,' ACM Conference on Computer and Communications Security, pp.245-254, Nov., 2002 https://doi.org/10.1145/586110.586144
  10. P. A. Porras, M. W. Fong, and A. Valdes. 'A mission impact based approach to INFOSEC alarm correlation,' Recent Advances in Intrusion Detection, pp.95-114, Oct., 2002
  11. W. Lee. 'A Data Mining Framework for Constructing Features and Models for Intrusion Detection System,' PhD thesis, Computer Science Department, Columbia University, NY, 1999
  12. S. Manganaris et al. ' Data Mining Analysis of RTID Alarms,' Recent Advances in Intrusion Detection, pp.7-9, Sep., 1999
  13. F. Provost and T. Fawcett, 'Robust Classification for Imprecise Environments,' Machine Learning, vol. 42/3, pp.203-231, 2001 https://doi.org/10.1023/A:1007601015854
  14. S. Staniford, J.A. Hoagland, and J.M. McAlemey. 'Practical Automated Detection of Stealthy Portscans,' ACM Computer and Communications Security IDS Workshop, pp.105-136, 2000
  15. Templeton, S., Levit, K, 'A requires/provides model for computer attacks,' New Security Paradigms Workshop, pp.31-38, 2000 https://doi.org/10.1145/366173.366187
  16. A. Valdes, 'Probabilistic Alert Correlation,' Recent Advances in Intrusion Detection, pp.54-68, 2001
  17. Moon Sun Shin, Eun Hee Kim, Keun Ho Ryu, Ki Young Kim. 'Data Mining Methods for Alert Correlation Analysis,' IJCIS, 2003
  18. Moon Sun Shin, Eun Hee Kim, Keun Ho Ryu, 'False Alarm Classification Model for Network Based Intrusion Detection System,' Intelligent Data Engineering and Automated Learning, pp.259 - 265, May., 2004
  19. 신문선, 김은희, 문호성, 류근호, 김기영, '데이터 마이닝 기법을 이용한 경보데이터 분석기 구현', 정보과학회논문지, 제31권, 1호, 2004
  20. J. Han, Y. Cai, and N. Cercone, 'Data driven discovery of quantitative rules in relational databases,' IEEE Transactions on Knowledge and Data Engineering, pp.29-40, 1993 https://doi.org/10.1109/69.204089
  21. Snort. Open-source Network Intrusion Detection System. http://www .snort.org
  22. K. Julisch. 'Dealing with False Positives in Intrusion Detection,' In 3nd Workshop on Recent Advances in Intrusion Detection, 2000