A subjective distance for clustering security events

Author

Wang, Jianxin ; Zhao, Geng ; Zhang, Weidong

Author_Institution

Sch. of Inf., Beijing Forestry Univ., China

Volume

1

fYear

2005

Firstpage

74

Abstract

Intrusion detection systems overload their human operators by triggering thousands of alarms per day, most of which are false positives. A clustering method, put forward by Claus Julisch, is very effective in eliminating false positives and finding the root causes. However, according to the variance related to the operators´ knowledge and experience, a gap may exist between the nature of the event clusters and what the operators obtained from the resulting clusters. A subjective distance, different from the objective distance defined by Julisch, is proposed to fill the gap by controlling the clustering process with the subjective distance.

Keywords

data mining; knowledge based systems; security of data; trees (mathematics); alarm false positives; association rules; clustering process; episode mining; event clustering; event clusters; intrusion detection systems; objective distance; security event clustering; subjective distance; taxonomy trees; Association rules; Clustering methods; Forestry; Humans; Information security; Intrusion detection; Laboratories; Process control; Protection; Taxonomy;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications, Circuits and Systems, 2005. Proceedings. 2005 International Conference on

Print_ISBN

0-7803-9015-6

Type

conf

DOI

10.1109/ICCCAS.2005.1493365

Filename

1493365