Skip to main content

An Effective Method for Analyzing Intrusion Situation Through IP-Based Classification

  • Conference paper
Computational Science and Its Applications – ICCSA 2005 (ICCSA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3481))

Included in the following conference series:

  • 1694 Accesses

Abstract

Due to a false alert or mass alerts by current intrusion detection systems, the system administrators have difficulties in real-time analysis of an intrusion. In order to solve this problem, it has been studied to analyze the intrusion situation or correlation. However, the existing situation analysis method is grouping with the similarity of measures, and it makes hard to respond appropriately to an elaborate attack. Also, the result of the method is so abstract that the raw information before reduction must be analyzed to realize the intrusion. In this paper, we reduce the number of alerts using the aggregation and correlation and classify the alerts by IP addresses and attack types. Through this method, our tool can find a cunningly cloaked attack flow as well as general attack situation, and more, they are visualized. So an administrator can easily understand the correct attack flow.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 85. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  2. Ning, P.: Techniques and Tools for Analyzing Intrusion Alerts. ACM Transactions on Information and System Security 7(2), 274–318 (2004)

    Article  MathSciNet  Google Scholar 

  3. Moh, W., Kim, M., Cheong, I., Noh, B., Seo, J., Park, E., Park, C.: An Analysis on the Correlation of Network-based Alerts with Association Rule Algorithm. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 705–712. Springer, Heidelberg (2005)

    Google Scholar 

  4. Porras, P., Neumann, P.: EMERALD: Event Monitoring Enabling Responses To Anomalous Live Disturbances. In: Proc. of the 20th National Information Systems Security Conference, pp. 1–13 (1997)

    Google Scholar 

  5. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 54. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. Insecure.Org, Bugtraq: Samba ’smbprint’ script tmpfile vulnerability, http://seclist.org/list/bugtraq/2004/Mar/0189.html

  7. Yang, Y., Paxton, V.: Detecting Stepping Stones. In: USENIX Security Symposium (2000)

    Google Scholar 

  8. Beale, J., Foster, J., Posluns, J., Caswell, B.: Snort 2.0 Intrusion Detection, SynGress (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, M. et al. (2005). An Effective Method for Analyzing Intrusion Situation Through IP-Based Classification. In: Gervasi, O., et al. Computational Science and Its Applications – ICCSA 2005. ICCSA 2005. Lecture Notes in Computer Science, vol 3481. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11424826_24

Download citation

  • DOI: https://doi.org/10.1007/11424826_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25861-2

  • Online ISBN: 978-3-540-32044-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics