Title :
Correlating alerts with a data mining based approach
Author :
Xiang, Guang ; Dong, Xiaomei ; Yu, Ge
Author_Institution :
Sch. of Inf. Sci. & Eng., Northeastern Univ., Boston, MA, USA
fDate :
29 March-1 April 2005
Abstract :
In monitoring anomalous network activities, intrusion detection systems tend to generate a large amount of alerts, which greatly increase the workload of post-detection analysis and decision-making. In this paper, we propose a correlation approach based on sequential pattern mining techniques to fuse related alerts for the distributed denial of service (DDoS) attacks. By mining the alert sequences and iteratively consolidating the matching sequential alert patterns, our approach is able to greatly reduce the related alerts and identify their DDoS membership. The alert reduction and fusing mechanism allow us to concentrate on a higher level of abstraction and thus save much extra efforts spent on analyzing a big volume of trivial raw alerts. Experimental comparisons of our method with hidden Markov model (HMM), a powerful stochastic process for sequence analysis, show that our algorithm is slightly better than HMM in terms of DDoS alert sequence identification.
Keywords :
correlation methods; data mining; decision making; hidden Markov models; security of data; DDoS alert sequence identification; anomalous network activities monitoring; correlation alerts; data mining; decision-making; distributed denial of service attack; fusing mechanism; hidden Markov model; intrusion detection system; post-detection analysis; sequence analysis; sequential pattern mining technique; stochastic process; Algorithm design and analysis; Computer crime; Data mining; Decision making; Fuses; Hidden Markov models; Intrusion detection; Monitoring; Pattern matching; Stochastic processes;
Conference_Titel :
e-Technology, e-Commerce and e-Service, 2005. EEE '05. Proceedings. The 2005 IEEE International Conference on
Print_ISBN :
0-7695-2274-2
DOI :
10.1109/EEE.2005.56
