A decision support system for constructing an alert classification model

Authors:
Nien-Yi Jan;Shun-Chieh Lin;Shian-Shyong Tseng;Nancy P. Lin
Affiliations:
Dept. of Computer Science and Information Engineering, Tamkang University, Taiwan, ROC and Business & Marketing Strategy Research Department, Telecommunication Lab., Chunghwa Telecom Co., Ltd., Ta ...;Dept. of Computer Science, National Chiao Tung University, Taiwan, ROC;Dept. of Computer Science, National Chiao Tung University, Taiwan, ROC;Dept. of Computer Science and Information Engineering, Tamkang University, Taiwan, ROC
Venue:
Expert Systems with Applications: An International Journal
Year:
2009

Citing 11
Cited 4

NiagaraCQ: a scalable continuous query system for Internet databases

SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Continuously adaptive continuous queries over streams

Proceedings of the 2002 ACM SIGMOD international conference on Management of data
Constructing attack scenarios through correlation of intrusion alerts

Proceedings of the 9th ACM conference on Computer and communications security
Sustaining Availability of Web Services under Distributed Denial of Service Attacks

IEEE Transactions on Computers
Mining Sequential Patterns

ICDE '95 Proceedings of the Eleventh International Conference on Data Engineering
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining intrusion detection alarms for actionable knowledge

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
DDoS attack detection method using cluster analysis

Expert Systems with Applications: An International Journal
A mission-impact-based approach to INFOSEC alarm correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
IDS false alarm reduction using continuous and discontinuous patterns

ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security

Parallelizing the design and development of a monitoring system

CDVE'09 Proceedings of the 6th international conference on Cooperative design, visualization, and engineering
Polygraph: system for dynamic reduction of false alerts in large-scale it service delivery environments

USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
Alert correlation in collaborative intelligent intrusion detection systems-A survey

Applied Soft Computing
A comprehensive vulnerability based alert management approach for large networks

Future Generation Computer Systems

Quantified Score

Hi-index	12.05

Visualization

Abstract

As the rapid growth of network attacking tools, patterns of network intrusion events change gradually. Although many researches had been proposed to analyze network intrusion behaviors in accordance with low-level network data, they still suffer a large mount of false alerts and result in difficulties for network administrators to discover useful information from these alerts. To reduce the load of administrators, by collecting and analyzing unknown attack sequences systematically, administrators can do the duty of fixing the root causes. Due to the different characteristics of each intrusion, none of analysis methods can correlate IDS alerts precisely and discover all kinds of real intrusion patterns. Therefore, an alert-based decision support system is proposed in this paper to construct an alert classification model for on-line network behavior monitoring. The architecture of decision support system consists of three phases: Alert Preprocessing Phase, Model Constructing Phase and Rule Refining Phase. The Alert Processing Phase is used to transform IDS alerts into alert transactions with specific data format as alert subsequences, where an alert sequence is a kind of well-aggregated alert transaction format to discover intrusion behaviors. Besides, the Model Constructing Phase is used to construct three kinds of rule classes: normal rule classes, intrusion rule classes and suspicious rule classes, to filter false alert patterns and analyze each existing or unknown alert patterns; each rule class represents a set of classification rules. Normal rule class, a set of false alert classification rules, can be trained by using sequential pattern mining approach in an attack-free environment. Intrusion rule classes, a set of known intrusion classification rules, and suspicious rule classes, a set of novel intrusion classification rules, can be trained in a simulated attacking environment using several well-known rootkits and labeling by experts. Finally, the Rule Refining Phase is used to change the classification flags of alert sequence across different time intervals. According to the urgent situations of different levels, Network administrators can do event protecting or vulnerability repairing, even or cause tracing of attacks. Therefore, the decision support system can prevent attacks effectively, find novel attack patterns exactly and reduce the load of administrators efficiently.