IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Intrusion Detection with SNORT (Bruce Perens' Open Source Series): Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
Snort Cookbook
Correlating Multi-Step Attack and Constructing Attack Scenarios Based on Attack Pattern Modeling
ISA '08 Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)
Temporal Neighborhood Discovery Using Markov Models
ICDM '09 Proceedings of the 2009 Ninth IEEE International Conference on Data Mining
Toward instrumenting network warfare competitions to generate labeled datasets
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Digital Forensics for Eucalyptus
FIT '11 Proceedings of the 2011 Frontiers of Information Technology
| Hi-index | 0.00 |
Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.