Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2003.10C.6.665

Alert Correlation Analysis based on Clustering Technique for IDS  

Shin, Moon-Sun (충북대학교 대학원 전자계산학과)
Moon, Ho-Sung (가림정보기술)
Ryu, Keun-Ho (충북대학교 전기전자및 컴퓨터공학부)
Jang, Jong-Su (한국전자통신연구원)
Publication Information
The KIPS Transactions:PartC / v.10C, no.6, 2003 , pp. 665-674 More about this Journal
Abstract
In this paper, we propose an approach to correlate alerts using a clustering analysis of data mining techniques in order to support intrusion detection system. Intrusion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks. However, intrucsion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks or variations of known attacks without generating a large amount of false alerts. In addition, all the current intrusion detection systems focus on low-level attacks or anomalies. Consequently, the intrusion detection systems to underatand the intrusion behind the alerts and take appropriate actions. The clustering analysis groups data objects into clusters such that objects belonging to the same cluster are similar, while those belonging to different ones are dissimilar. As using clustering technique, we can analyze alert data efficiently and extract high-level knowledgy about attacks. Namely, it is possible to classify new type of alert as well as existed. And it helps to understand logical steps and strategies behind series of attacks using sequences of clusters, and can potentially be applied to predict attacks in progress.
Keywords
Intrusion Detection; Alert Data; Alert Correlation; Clustering;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Sudipto Guha, Rajeev Rastogi and Kyuseok Shim, 'ROCK : A Robust Clustering Algorithm for Categorical Atributes,' In Proceedings of the 15th International Confererence on Data Engineering, (lCDE), Sydney. Australia, 2326, IEEE Press, pp.512-521. Mar., 1999   DOI
2 KDD99 Cup, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 1999
3 DARPA 1998 intrusion detection evaluation datasets, http://ideval.ll.mit.edu
4 D. Curry and H. Debar, 'Intrusion detection message exchange format data model and extensible markup language (xml) document type definition,' Internet Draft, draft-ietf-idwg-idmef-xml-0.3.txt, Feb., 2001
5 Sudipto Guha, Rajeev Rastogi and Kyuseok Shim, 'CURE : An Efficient Clustering Algorithm for Large Databases,' In Proceedings of the International Conference on Management of Data, (SIGMOD), SIGMOD Record, Seattle, WA, USA, 14, ACM Press, Vo1.27(2), pp.73-84, Jun., 1998
6 Fred Cuppens, 'Managing Alerts in a Multi-Intrusion Detection Environment,' In Proceedings of the third International Symposium on Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, 2000   DOI
7 Periklis Andritsos, 'Data Clustering Techniques,' Qualifying Oral Examination Paper, 2001
8 O. Dain and R. K. Cunningham, 'Fusing a heterogeneous alert stream into scenarios,' In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pp.1-13, Nov., 2001
9 H. Debar and A. Wespi, 'Aggregation and correlation of intrusion-detection alerts,' In Recent Advances in Intrusion Detection, number 2212 in Lecture Notes in Computer Science, pp.85-103, 2001
10 S. Staniford, J. A. Hoagland and J. M. McAlerney, 'Practical automated detection of stealthy portscans,' To appear in Journal of Computer Security, 2000   DOI
11 A. Valdes and K. Skinner, 'Probabilistic alert correlation,' In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pp. 54-68, 2001
12 W. Lee, S. J. Stolfo and K. W. Mok, 'A Data Mining Framework for Building Intrusion Detection Models,' In Proceedings of the third International Symposium on Recent Advances in Intrusion Detection (RAID 1999), 1999   DOI
13 Myung Jin Lee, Moon Sun Shin, Ho Sung Moon, Keun Ho Ryu, 'Design and Implementation of Alert Analyzer with Mining Engine, IDEAL03, HongKong, China, Mar., 2003
14 박상길, 김진오, 장종수, '보안네트워크 프레임워크에서 이기종의 침입 탐지 시스템 연동을 위한 정보데이터 처리', 제19회 한국정보처리학회 춘계학술발표대회논문집, 제10권 제1호, pp.2169-2172
15 Moon Sun Shin, Ho Sung Moon, Keun Ho Ryu, Ki Young Kim, Jinoh Kim, 'Applying Data Mining Techniques to Analyze Alert Data,' APWeb03, Xian, China, Apr., 2003
16 W. Lee and S. J. Stolfo, 'Data mining approaches for intrusion detection,' In Proceedings of the 7th USENIX Security Symposium, 1998
17 Ho Sung Moon, Eun Hee Kim, Moon Sun Shin, Keun Ho Ryu, Jinoh Kim, 'Implementation of Security Policy Server's Alert Analyzer,' ICIS, Aug., 2002