SBAD: sequence based attack detection via sequence comparison

Authors:
Ching-Hao Mao;Hsing-Kuo Pao;Christos Faloutsos;Hahn-Ming Lee
Affiliations:
Dept. of Computer Science & Information Engineering, National Taiwan University of Science & Technology, Taipei, Taiwan;Dept. of Computer Science & Information Engineering, National Taiwan University of Science & Technology, Taipei, Taiwan;Dept. of Computer Science, Carnegie Mellon University, Pittsburgh;Dept. of Computer Science & Information Engineering, National Taiwan University of Science & Technology, Taipei, Taiwan and Institute of Information Science, Academia Sinica, Taipei, Taiwa ...
Venue:
PSDML'10 Proceedings of the international ECML/PKDD conference on Privacy and security issues in data mining and machine learning
Year:
2010

Citing 11
Cited 1

FastMap: a fast algorithm for indexing, data-mining and visualization of traditional and multimedia datasets

SIGMOD '95 Proceedings of the 1995 ACM SIGMOD international conference on Management of data
An introduction to Kolmogorov complexity and its applications (2nd ed.)

An introduction to Kolmogorov complexity and its applications (2nd ed.)
Glossary of Terms

Machine Learning - Special issue on applications of machine learning and the knowledge discovery process
SSVM: A Smooth Support Vector Machine for Classification

Computational Optimization and Applications
An Empirical Study of Two Approaches to Sequence Learning for Anomaly Detection

Machine Learning
Database Mining: A Performance Perspective

IEEE Transactions on Knowledge and Data Engineering
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
Towards parameter-free data mining

Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Mining Minimal Distinguishing Subsequence Patterns with Gap Constraints

ICDM '05 Proceedings of the Fifth IEEE International Conference on Data Mining
Modeling network intrusion detection alerts for correlation

ACM Transactions on Information and System Security (TISSEC)
Efficient Mining of Closed Repetitive Gapped Subsequences from a Sequence Database

ICDE '09 Proceedings of the 2009 IEEE International Conference on Data Engineering

Detection of HTTP-GET attack with clustering and information theoretic measurements

FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Given a stream of time-stamped events, like alerts in a network monitoring setting, how can we isolate a sequence of alerts that form a network attack? We propose a Sequence Based Attack Detection (SBAD) method, which makes the following contributions: (a) it automatically identifies groups of alerts that are frequent; (b) it summarizes them into a suspicious sequence of activity, representing them with graph structures; and (c) it suggests a novel graph-based dissimilarity measure. As a whole, SBAD is able to group suspicious alerts, visualize them, and spot anomalies at the sequence level. The evaluations from three datasets--two benchmark datasets (DARPA 1999, PKDD 2007) and a private dataset Acer 2007 gathered from a Security Operation Center in Taiwan--support our approach. The method performs well even without the help of the IP and payload information. No need for privacy information as the input makes the method easy to plug into existing system such as an intrusion detector. To talk about efficiency, the proposed method can deal with large-scale problems, such as processing 300K alerts within 20 mins on a regular PC.