Using unsupervised learning for network alert correlation

Authors:
Reuben Smith;Nathalie Japkowicz;Maxwell Dondo;Peter Mason
Affiliations:
School of Information Technology and Engineering, University of Ottawa, ON, Canada;School of Information Technology and Engineering, University of Ottawa, ON, Canada;Defence Research and Development Canada, Ottawa, ON, Canada;Defence Research and Development Canada, Ottawa, ON, Canada
Venue:
Canadian AI'08 Proceedings of the Canadian Society for computational studies of intelligence, 21st conference on Advances in artificial intelligence
Year:
2008

Citing 9
Cited 5

Self-organizing maps

Self-organizing maps
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Network Intrusion Detection: An Analyst's Handbook

Network Intrusion Detection: An Analyst's Handbook
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining intrusion detection alarms for actionable knowledge

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Validation of Sensor Alert Correlators

IEEE Security and Privacy
Unsupervised learning techniques for an intrusion detection system

Proceedings of the 2004 ACM symposium on Applied computing
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Learning intrusion detection: supervised or unsupervised?

ICIAP'05 Proceedings of the 13th international conference on Image Analysis and Processing

Intrusion detection alarms reduction using root cause analysis and clustering

Computer Communications
Prioritizing intrusion analysis using Dempster-Shafer theory

Proceedings of the 4th ACM workshop on Security and artificial intelligence
Multi-layer episode filtering for the multi-step attack detection

Computer Communications
Survey A model-based survey of alert correlation techniques

Computer Networks: The International Journal of Computer and Telecommunications Networking
Alert correlation: Severe attack prediction and controlling false alarm rate tradeoffs

Intelligent Data Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

Alert correlation systems are post-processing modules that enable intrusion analysts to find important alerts and filter false positives efficiently from the output of Intrusion Detection Systems. Typically, however, these modules require high levels of human involvement in creating the system and/or maintaining it, as patterns of attacks change as often as from month to month. We present an alert correlation system based on unsupervised machine learning algorithms that is accurate and low maintenance. The system is implemented in two stages of correlation. At the first stage, alerts are grouped together such that each group forms one step of an attack. At the second stage, the groups created at the first stage are combined such that each combination of groups contains the alerts of precisely one full attack. We tested various implementations of the system. The most successful one relies in the first stage on a new unsupervised algorithm inspired by an existing novelty detection system, and the EM algorithm in the second stage. Our experimental results show that, with our model, the number of alerts that an analyst has to deal with is significantly reduced.