Alarm clustering for intrusion detection systems in computer networks

Authors:
Giorgio Giacinto;Roberto Perdisci;Fabio Roli
Affiliations:
Department of Electrical and Electronic Engineering, University of Cagliari, Piazza D Armi, Cagliari, Italy;Department of Electrical and Electronic Engineering, University of Cagliari, Piazza D Armi, Cagliari, Italy;Department of Electrical and Electronic Engineering, University of Cagliari, Piazza D Armi, Cagliari, Italy
Venue:
MLDM'05 Proceedings of the 4th international conference on Machine Learning and Data Mining in Pattern Recognition
Year:
2005

Citing 6
Cited 5

Data clustering: a review

ACM Computing Surveys (CSUR)
Probabilistic Alert Correlation

RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Alert Correlation in a Cooperative Intrusion Detection Framework

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Validation of Sensor Alert Correlators

IEEE Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
A mission-impact-based approach to INFOSEC alarm correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Alarm clustering for intrusion detection systems in computer networks

Engineering Applications of Artificial Intelligence
A comprehensive approach to detect unknown attacks via intrusion detection alerts

ASIAN'07 Proceedings of the 12th Asian computing science conference on Advances in computer science: computer and network security
Effectiveness evaluation of data mining based IDS

ICDM'06 Proceedings of the 6th Industrial Conference on Data Mining conference on Advances in Data Mining: applications in Medicine, Web Mining, Marketing, Image and Signal Mining
Computer network monitoring and abnormal event detection using graph matching and multidimensional scaling

ICDM'06 Proceedings of the 6th Industrial Conference on Data Mining conference on Advances in Data Mining: applications in Medicine, Web Mining, Marketing, Image and Signal Mining
Toward a more practical unsupervised anomaly detection system

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Until recently, network administrators manually arranged alarms produced by Intrusion Detection Systems (IDSs) to attain a high-level description of threats. As the number of alarms is increasingly growing, automatic tools for alarm clustering have been proposed to provide such a high level description of the attack scenario. In addition, it has been shown that effective threat analysis require the fusion of different sources of information, such as different IDSs, firewall logs, etc. In this paper, we propose a new strategy to perform alarm clustering which produces unified descriptions of attacks from multiple alarms. Tests have been performed on a live network where commercial and open-source IDSs analyzed network traffic.