Critical Episode Mining in Intrusion Detection Alerts

@article{Soleimani2008CriticalEM,
title={Critical Episode Mining in Intrusion Detection Alerts},
author={Mahboobeh Soleimani and Ali A. Ghorbani},
journal={6th Annual Communication Networks and Services Research Conference (cnsr 2008)},
year={2008},
pages={157-164}
}
• Published 5 May 2008
• Computer Science
• 6th Annual Communication Networks and Services Research Conference (cnsr 2008)
One of the most important steps in attack detection using Intrusion Detection Systems (IDSs) is dealing with huge number of alerts that can be either critical single alerts and multi-step attack scenarios or false alerts and non-critical ones. In this paper we try to address the problem of managing alerts via a multi-layer alert correlation and Itering that can identify critical alerts after each step of correlation and Itering. After applying the approach on LL DDoS 1.0 data set, we achieved…
9 Citations
Alert correlation by a retrospective method
• Computer Science
2009 International Conference on Information Networking
• 2009
A method for alert correlation through results tracing back to reasons according to hacker attacks linked to a certain sequence characteristics is presented, which can found internal relations of invasion, to accurately identify intrusion targets.
A hybrid alarm management strategy in signature-based intrusion detection systems
• Computer Science
2019 IEEE Colombian Conference on Communications and Computing (COLCOM)
• 2019
A comparative analysis of two approaches that consider the false alarm minimization and alarm correlation techniques is presented, providing the elements to propose a parallelizable strategy designed to achieve better results in terms of precision, recall and alarm load reduction in the prioritization of alarms.
Alert Correlation through Results Tracing back to Reasons
• Computer Science
2009 WRI International Conference on Communications and Mobile Computing
• 2009
A method for alert correlation through results tracing back to reasons according to hacker attacks linked to a certain sequence characteristics is presented, which can found internal relations of invasion, to accurately identify intrusion targets.
False alarm minimization techniques in signature-based intrusion detection systems: A survey
• Computer Science
Comput. Commun.
• 2014
This paper gives a taxonomy of false alarm minimization techniques in signature-based IDS and presents the pros and cons of each class and concludes with some directions to the future research.
A systematic survey on multi-step attack detection
• Computer Science
Comput. Secur.
• 2018
This survey aims to gather all the publications proposing multi-step attack detection methods as mechanisms to reveal attack scenarios composed of digital traces left by attackers.
Polygraph: System for Dynamic Reduction of False Alerts in Large-Scale IT Service Delivery Environments
• Computer Science
USENIX Annual Technical Conference
• 2011
Polygraph is a novel architecture for automated tuning of monitoring policies towards reducing false alerts, which integrates multiple types of service management data into an active-learning approach to automated generation of new monitoring policies.
Boosting performance in attack intention recognition by integrating multiple techniques
• Computer Science
Frontiers of Computer Science in China
• 2010
The proposed method is the first to correlate complementary intrusion evidence with frequent pattern mining techniques based on the FP-Growth algorithm to rebuild attack paths and to recognize attack intentions.
An orchestration approach for unwanted Internet traffic identification
• Computer Science
Comput. Networks
• 2012
The specification of a new orchestration-based approach to detect, and, as far as possible, to limit the actions of these coordinated attacks is presented.
Temporal mining for distributed systems
The application to system event mining is still in a rudimentary stage, most of works are still focusing on episodes mining or frequent pattern discovering, and these methods provide little actionable knowledge to help the system administrators to better manage the systems.

References

SHOWING 1-10 OF 37 REFERENCES
Correlating Alerts Using Prerequisites of Intrusions
• Computer Science
• 2001
The proposed approach provides a high-level representation of the correlated alerts and reveals the structure of series of attacks and can potentially be applied to predict attacks in progress and allows the intrusion response systems to take appropriate actions to stop the on-going attacks.
Alert correlation in a cooperative intrusion detection framework
• Computer Science
Proceedings 2002 IEEE Symposium on Security and Privacy
• 2002
This paper presents the work done within the MIRADOR project to design CRIM, a cooperative module for intrusion detection systems (IDS), and focuses on the approach to design the correlation function.
Alert Correlation for Extracting Attack Strategies
• Computer Science
Int. J. Netw. Secur.
• 2006
This paper focuses on developing a new alert correlation technique that can help to automatically extract attack strategies from a large volume of intrusion alerts, without specific prior knowledge about these alerts.
An Intrusion Alert Correlator Based on Prerequisites of Intrusions
• Computer Science
• 2002
This paper presents the development of an off-line intrusion alert correlator based on {\em prerequisites} of intrusions, which is the first step to address the problem of large amount of alerts in situations where there are intensive intrusive actions.
Time series modeling for IDS alert management
• Computer Science
ASIACCS '06
• 2006
This paper presents the findings regarding the causes of background noise of intrusion detection systems, and one approach for monitoring the noise with reasonable user load is proposed, based on modeling regularities in alert flows with classical time series methods.
Data mining and machine learning - Towards reducing false positives in intrusion detection
• Computer Science
Inf. Secur. Tech. Rep.
• 2005
Two orthogonal and complementary approaches to reduce the number of false positives in intrusion detection using alert postprocessing by data mining and machine learning are presented.
An Alert Data Mining Framework for Network-Based Intrusion Detection System
• Computer Science
WISA
• 2005
The proposed alert data mining framework performs alert correlation analysis by using mining tasks such as axis-based association rule, axis- based frequent episodes and order-based clustering, and provides the capability of classifying false alarms in order to reduce false alarms from intrusion detection system.
Statistical Causality Analysis of INFOSEC Alert Data
• Computer Science
RAID
• 2003
The results show that the approach can discover new patterns of attack relationships when the alerts of attacks are statistically correlated, and complements other approaches that use hard-coded prior knowledge for pattern matching.
Managing alerts in a multi-intrusion detection environment
• F. Cuppens
• Computer Science
Seventeenth Annual Computer Security Applications Conference
• 2001
This paper suggests specifications for three functions of intrusion detection: alert base management, alert clustering and alert merging, compliant with theIDMEF format currently being defined at the IETF.
Fusing A Heterogeneous Alert Stream Into Scenarios
• Computer Science
Applications of Data Mining in Computer Security
• 2002
An algorithm for fusing the alerts produced by multiple heterogeneous intrusion detection systems is presented, which can determine the scenario membership of a new alert in time proportional to the number of candidate scenarios.