Title :
Mining of Attack Models in IDS Alerts from Network Backbone by a Two-stage Clustering Method
Author :
Qiao, Lin-Bo ; Zhang, Bo-Feng ; Lai, Zhi-Quan ; Su, Jin-Shu
Author_Institution :
Coll. of Comput., Nat. Univ. of Defense Technol., Changsha, China
Abstract :
There is a big difference between the IDS alerts from the network backbone and those from the lab. But there is little work has been done to mine attack models in IDS alerts from the network backbone. The contributions of this paper are three-fold. First, we propose an alert reduction method based on statistical redundancy (RMSR) to reduce the alert redundancy. Second, we propose a two-stage clustering algorithm to analyze the spatial and temporal relation of the network intrusion behaviors´ alert sequence. Third, we propose a novel approach, Loose Longest Common Subsequence (LLCS), to extract the attack models of network intrusion behaviors. The experiment result shows that the reduction approach reduces the IDS alerts redundancy efficiently, and the attack models generated have a strong logical relation.
Keywords :
data mining; pattern clustering; security of data; statistical analysis; IDS alerts; LLCS; RMSR; alert reduction method based on statistical redundancy; attack models mining; loose longest common subsequence; network backbone; network intrusion behavior alert sequence; two-stage clustering method; Analytical models; Clustering algorithms; Clustering methods; Correlation; IP networks; Redundancy; Telecommunication traffic; IDS alert correlation; attack model extraction; data reduction; network backbone; sequence analysis; two-stage clustering;
Conference_Titel :
Parallel and Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International
Conference_Location :
Shanghai
Print_ISBN :
978-1-4673-0974-5
DOI :
10.1109/IPDPSW.2012.146
