Browse > Article

Implementation of Analyzer of the Alert Data using Data Mining  

신문선 (충북대학교 전자계산학과)
김은희 (충북대학교 전자계산학)
문호성 (가림정보기)
류근호 (충북대학교 전기전자및컴퓨터공학)
김기영 (한국전자통신연구원 네트워크정보보호연구본부)
Publication Information
Journal of KIISE:Databases / v.31, no.1, 2004 , pp. 1-12 More about this Journal
Abstract
As network systems are developed rapidly and network architectures are more complex than before, it needs to use PBNM(Policy-Based Network Management) in network system. Generally, architecture of the PBNM consists of two hierarchical layers: management layer and enforcement layer. A security policy server in the management layer should be able to generate new policy, delete, update the existing policy and decide the policy when security policy is requested. And the security policy server should be able to analyze and manage the alert messages received from Policy enforcement system in the enforcement layer for the available information. In this paper, we propose an alert analyzer using data mining. First, in the framework of the policy-based network security management, we design and implement an alert analyzes that analyzes alert data stored in DBMS. The alert analyzer is a helpful system to manage the fault users or hosts. Second, we implement a data mining system for analyzing alert data. The implemented mining system can support alert analyzer and the high level analyzer efficiently for the security policy management. Finally, the proposed system is evaluated with performance parameter, and is able to find out new alert sequences and similar alert patterns.
Keywords
Policy-Based Network Management; Intrusion Detection System; Alert Data; Data Mining; Association Rule; Frequent Episodes; Clustering;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 S. M. Lewandowski, D. J. Van Hook, G. C. OLeary, J. W. Haines, and L. M. Rossey, SARA:Survivable Autonomic Response Architecture, DISCEX01, Anaheim, California, June 2001   DOI
2 D. Anderson, T. Frivold, A. Valdes, 'Next-generation Intrusion Detection Expert System(NIDES),' Technical Report SRI-CLS-95-07, May 1995
3 R. Heady, G. Luger, A. Maccabe, and M. Servilla, 'The Architecture of a Network Level Intrusion Detection System,' Technical report, University of New Mexico, Department of computer Science, Aug. 1990
4 O. Dain and R.K.Cunningham, 'Fusing a Heterogeneous Alert Stream into Scenarios,' In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pages 113-,Nov. 2001
5 D. Schnackenberg, K. Djahandari, and D. Sterne, Infrastructure for Intrusion Detection and Response, Proceedings of the DARPA Information Survivability Conference and Exposition, SC, Jan. 2000   DOI
6 W. Lee, W. Fan, 'Mining System Audit Data: Opportunities and Challenges,' College of Computing Georgia Institute of Technology Atlanta, GA 30332-0280, IBM T.J. Watson Research Center Hawthome, NY10532.2000   DOI   ScienceOn
7 W. Lee, S. J. Stolfo, K. W. Mok, 'A Data Mining Framework for Building Intrusion Detection Models,' 2001   DOI
8 W. Lee, S. J. Stolfo, 'Data Mining Approaches for Intrusion Detection,' Columbia University, Computer Science Department, 1998
9 H. Debar and A. Wespi, 'Aggregation and Correlation of Intrusion-Detection Alerts,' In Recent Advances in Intrusion Detection, number 2212 in Lecture Notes in Computer Science, pages 85-103, 2001
10 M. S. Shin, H. S. Moon, K. H. Ryu, J. O. Kim and K.Y. Kim, 'Applying Data Mining Techniques to Analyze Alert Data,' APWeb2003, Xi'an,China, Apr. 2003
11 A. Valdes and K. Skinner, 'Probabilistic Alert Correlation', Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pages 54-68, 2001
12 S. Staniford, J.A.Hoaglandl, and J.M. McAlerney, 'Practical Automated Detection of Stealthy Portscans,' In ACM Computer and Communications Security IDS Workshop, pages 1-7, 2000
13 B. Moore, E. Ellesson, J. Strassner, and A. Westerinen, Policy Core Information Model Version 1 Spec., IETF RFC3060, Feb. 2001
14 E. Lupu and M. Sloman, Conflicts in Policy-based Distributed Systems Management, IEEE Transactions on Software Engineering, Vol. 25, No. 6, Nov. 1999   DOI   ScienceOn
15 A. Westerinen, J. Schnizlein, J. Strassner, M. Scherling, B. Quinn, S. Herzog, A. Huynh, M. Carlson, J. Perry, and S. Waldbusser, Terminology for Policy-Based Management, IETF, July 2001
16 P. Ning and Y. Cui, 'An Intrusion Alert Correlator based on Prerequisites of Intrusions,' Technical Report TR-2002-01, Department of Computer Science, North Carolina State Univ., Jan 2002
17 IPHIGHWAY, Inc., Introduction to Policy-based Networking and Quality of Service
18 H. Jiawei and K. Michelle, 'Data Mining: Concepts and Techniques,' Morgan Kaufmann, 2000
19 H. S. Moon, M. S. Shin, K. H. Ryu and J. O. Kim 'Implementation of Security Policy Server's Alert Analyzer,' In Proceedings of the International Conference on Computer and Information Science, pages 142-147, Seoul, Korea, Aug. 2002
20 Sudipto Guha, Rajeev Rastogi, and Kyuseok Shim, 'CURE: An Efficient Clustering Algorithm for Large Databases,' In Proceedings of the International Conference on Management of Data(SIGMOD), Vol. 27(2), Seattle,WA,USA, USA, 14, ACM Press, Jun. 1998   DOI
21 김은희, 신문선, 문호성, 류근호, 김기영 '감사데이타 분석 마이너 설계 및 구현', 정보과학회 춘계학술발표, 2002년 4월
22 KDD99Cup, ttp://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 1999
23 Lincoln Lab MIT, DARPA 2000 Intrusion Detection Evaluation Datasets, http://ideval.II.mit.edu/2000
24 M. S. Shin, E. H. Kim, H. S. Moon, K. H. Ryu and K. Y. Kim, 'Data Mining Methods for Alert Correlation Analysis,' Submitted for publication, International Journal of Computer and Information Science, USA, June, 2003
25 D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne, Cooperative Intrusion Traceback and Response Architecture(CITRA), DISCEX01, Anaheim,California, June 2001   DOI