Using self-organizing maps to build an attack map for forensic analysis

Authors:
H. Güneş Kayacik;A. Nur Zincir-Heywood
Affiliations:
Dalhousie University, Halifax, Nova Scotia;Dalhousie University, Halifax, Nova Scotia
Venue:
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Year:
2006

Citing 6
Cited 0

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Data mining: concepts and techniques

Data mining: concepts and techniques
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Visualizing Network Data

IEEE Transactions on Visualization and Computer Graphics
Case study: 3D displays of Internet traffic

INFOVIS '95 Proceedings of the 1995 IEEE Symposium on Information Visualization
The Honeynet Project: Trapping the Hackers

IEEE Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this work, we focus on developing behavioral models of known attacks to help security experts to identify the similarities between attacks. Furthermore, these attack behavior models can be used to analyze zero-day attacks, which security experts have limited knowledge of. To this end, a Self Organizing Feature Map (SOM) is employed to model the relationship between known attacks and U-Matrix representation is used to create a two dimensional topological map of known attacks. The approach is evaluated on KDD'99 data set. Results show that attacks with similar behavior patterns are placed together on the map. Moreover, when new attacks are presented, SOM assigned similar labels to the attacks that are newer versions of the known attacks.