Abstract
Intrusion detection system(IDS) has played an important role as a device to defend our networks from cyber attacks. However, since it still suffers from detecting an unknown attack, i.e., 0-day attack, the ultimate challenge in intrusion detection field is how we can exactly identify such an attack. This paper presents a novel approach that is quite different from the traditional detection models based on raw traffic data. The proposed method can extract unknown activities from IDS alerts by applying data mining technique. We evaluated our method over the log data of IDS that is deployed in Kyoto University, and our experimental results show that it can extract unknown(or under development) attacks from IDS alerts by assigning a score to them that reflects how anomalous they are, and visualizing the scored alerts.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering, SE 13, 222–232 (1987)
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks 34(4), 571–577 (2000)
Julisch, K.: Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)
Zurutuza, U., Uribeetxeberria, R.: Intrusion Detection Alarm Correlation: A Survey. In: Proceedings of the IADAT International Conference on Telecommunications and Computer Networks (December 1-3, 2004)
Bass, T.: Intrusion detection systems and multisensor data fusion. In: Communications of the ACM, pp. 99–105. ACM Press, New York (2000)
Giacinto, G., Perdisci, R., Roli, F.: Alarm Clustering for Intrusion Detection Systems in Computer Networks. In: Perner, P., Imiya, A. (eds.) MLDM 2005. LNCS (LNAI), vol. 3587, pp. 184–193. Springer, Heidelberg (2005)
Treinen, J.J., Thurimella, R.: A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 1–18. Springer, Heidelberg (2006)
Symantec Network Security 7100 Series
http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx
Linde, Y., Buzo, A., Gray, R.M.: An Algorithm for Vector Quantizer Design. IEEE Trans. on communications 28(1), 84–95 (1980)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Song, J., Ohba, H., Takakura, H., Okabe, Y., Ohira, K., Kwon, Y. (2007). A Comprehensive Approach to Detect Unknown Attacks Via Intrusion Detection Alerts. In: Cervesato, I. (eds) Advances in Computer Science – ASIAN 2007. Computer and Network Security. ASIAN 2007. Lecture Notes in Computer Science, vol 4846. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76929-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-540-76929-3_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76927-9
Online ISBN: 978-3-540-76929-3
eBook Packages: Computer ScienceComputer Science (R0)