IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Multivariate data analysis software for enhancing system security
Journal of Systems and Software
Anomaly-based intrusion detection: privacy concerns and other problems
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Building agents for rule-based intrusion detection system
Computer Communications
Integrated expert system applied to the analysis of non-technical losses in power utilities
Expert Systems with Applications: An International Journal
Testing ensembles for intrusion detection: On the identification of mutated network scans
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Expert Systems with Applications: An International Journal
A real-time risk control and monitoring system for incident handling in wine storage
Expert Systems with Applications: An International Journal
CoKIM: Collaborative and Social Knowledge-Based Incident Manager
ASONAM '12 Proceedings of the 2012 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2012)
Hi-index | 12.06 |
Recently, as hacking attempts increase dramatically; most enterprises are forced to employ some safeguards for hacking proof. For example, firewall or IPS (Intrusion Prevention System) selectively accepts the incoming packets, and IDS (Intrusion Detection System) detects the attack attempts from network. The latest version of firewall works in cooperation with IDS to immediately response to hacking attempts. However, it may make false alarms that misjudge normal traffic as hacking traffic and cause network problems to block the normal IP address by false alarms. By these false alarms made by IDS, system administrators or CSOs make wrong decisions and important data may be exposed or the availability of network or server system may be exhausted. Therefore, it is important to minimize the false alarms. As a way of minimizing false alarms and supporting adequate decisions, we suggest the RFM (Recency, Frequency, Monetary) analysis methodology, which analyzes log files with incorporating three criteria of recency, frequency and monetary with statistical process control chart, and thus leads to an intuitive detection of anomaly and misuse events. Moreover, to cope with hacking attempts proactively, we apply CBR (case based reasoning) to find out similarities between already known hacking patterns and new hacking patterns. With the RFM analysis methodology and CBR, we develop DSS which can minimize false alarms and decrease the time to respond to hacking events. In case that RFM analysis module finds out unknown viruses or worms occurred, this CBR system matches the most similar incident case from case-based database. System administrators can easily get information about how to fix and how we fixed in similar cases. And CSOs can build a blacklist of frequently detected IP addresses and users. This blacklist can be used for incident handling. Finally, we propose collaborative incident response system with DSS, this distributed agent systems interactively exchange the suspicious users and source IP addresses data and decide who is true-anomalous users and which IP addresses is the most riskiest and then deny all connections from that users and IP addresses automatically with less false-positives.