IEEE Transactions on Systems, Man and Cybernetics - Special issue on artificial intelligence
Algorithms for clustering data
Algorithms for clustering data
ACM SIGCOMM Computer Communication Review
Classification and detection of computer intrusions
Classification and detection of computer intrusions
Computer networks (3rd ed.)
Association rules over interval data
SIGMOD '97 Proceedings of the 1997 ACM SIGMOD international conference on Management of data
Automatic subspace clustering of high dimensional data for data mining applications
SIGMOD '98 Proceedings of the 1998 ACM SIGMOD international conference on Management of data
Towards a practical alarm correlation system
Proceedings of the fourth international symposium on Integrated network management IV
Event correlation using rule and object based techniques
Proceedings of the fourth international symposium on Integrated network management IV
Proceedings of the fourth international symposium on Integrated network management IV
A high-performance network intrusion detection system
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Modeled abductive inference for event management and correlation
Modeled abductive inference for event management and correlation
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Intrusion detection
Efficient Rule-Based Attribute-Oriented Induction for Data Mining
Journal of Intelligent Information Systems
Data mining: concepts and techniques
Data mining: concepts and techniques
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
A data mining analysis of RTID alarms
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A framework for constructing features and models for intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Abstraction-based intrusion detection in distributed environments
ACM Transactions on Information and System Security (TISSEC)
Applications of Data Mining in Computer Security
Applications of Data Mining in Computer Security
Data Mining and Knowledge Discovery
Data-Driven Discovery of Quantitative Rules in Relational Databases
IEEE Transactions on Knowledge and Data Engineering
An Information-Theoretic Definition of Similarity
ICML '98 Proceedings of the Fifteenth International Conference on Machine Learning
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Knowledge Discovery in Databases: An Attribute-Oriented Approach
VLDB '92 Proceedings of the 18th International Conference on Very Large Data Bases
A Case-Based Reasoning Approach to the Resolution of Faults in Communication Networks
Proceedings of the IFIP TC6/WG6.6 Third International Symposium on Integrated Network Management with participation of the IEEE Communications Society CNOM and with support from the Institute for Educational Services
Mining intrusion detection alarms for actionable knowledge
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Managing Alerts in a Multi-Intrusion Detection Environment
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Mining Alarm Clusters to Improve Alarm Handling Efficiency
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
USTAT: A Real-Time Intrusion Detection System for UNIX
SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Using internal sensors for computer intrusion detection
Using internal sensors for computer intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
High speed and robust event correlation
IEEE Communications Magazine
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Hypothesizing and reasoning about attacks missed by intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Enhancing network intrusion detection systems with interval methods
Proceedings of the 2005 ACM symposium on Applied computing
Countering Security Information Overload through Alert and Packet Visualization
IEEE Computer Graphics and Applications
Focusing on Context in Network Traffic Analysis
IEEE Computer Graphics and Applications
Attack abstraction using a multiagent system for intrusion detection
Journal of Intelligent & Fuzzy Systems: Applications in Engineering and Technology
Network intrusion detection: Evaluating cluster, discriminant, and logit analysis
Information Sciences: an International Journal
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Adaptive real-time anomaly detection with incremental clustering
Information Security Tech. Report
Forensic analysis of logs: Modeling and verification
Knowledge-Based Systems
Proceedings of the ACM first Ph.D. workshop in CIKM
ATLANTIDES: an architecture for alert verification in network intrusion detection systems
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Towards a formal model for the network alarm correlation problem
SMO'06 Proceedings of the 6th WSEAS International Conference on Simulation, Modelling and Optimization
Two alternatives for handling preferences in qualitative choice logic
Fuzzy Sets and Systems
A Graph Based Approach Toward Network Forensics Analysis
ACM Transactions on Information and System Security (TISSEC)
A data mining approach for analysis of worm activity through automatic signature generation
Proceedings of the 1st ACM workshop on Workshop on AISec
Intrusion Prevention in Information Systems: Reactive and Proactive Responses
Journal of Management Information Systems
Intrusion detection alarms reduction using root cause analysis and clustering
Computer Communications
Alert correlation survey: framework and techniques
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Choice and Chance: A Conceptual Model of Paths to Information Security Compromise
Information Systems Research
A logic-based model to support alert correlation in intrusion detection
Information Fusion
Processing intrusion detection alert aggregates with time series modeling
Information Fusion
A Formal Approach for the Forensic Analysis of Logs
Proceedings of the 2006 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the fifth SoMeT_06
Real-time alert correlation using stream data mining techniques
IAAI'08 Proceedings of the 20th national conference on Innovative applications of artificial intelligence - Volume 3
A dynamic fusion approach for security situation assessment
CNIS '07 Proceedings of the Fourth IASTED International Conference on Communication, Network and Information Security
SPARCL: an effective and efficient algorithm for mining arbitrary shape-based clusters
Knowledge and Information Systems
Developing insider attack detection model: a grounded approach
ISI'09 Proceedings of the 2009 IEEE international conference on Intelligence and security informatics
Alarm clustering for intrusion detection systems in computer networks
Engineering Applications of Artificial Intelligence
Data mining and machine learning-Towards reducing false positives in intrusion detection
Information Security Tech. Report
International Journal of Information and Computer Security
Multilevel event correlation based on collaboration and temporal causal correlation
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
An intelligent network-warning model with strong survivability
CANS'07 Proceedings of the 6th international conference on Cryptology and network security
A comprehensive approach to detect unknown attacks via intrusion detection alerts
ASIAN'07 Proceedings of the 12th Asian computing science conference on Advances in computer science: computer and network security
Application of the pagerank algorithm to alarm graphs
ICICS'07 Proceedings of the 9th international conference on Information and communications security
Alerts visualization and clustering in network-based intrusion detection
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Real-time classification of IDS alerts with data mining techniques
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
Mining negative generalized knowledge from relational databases
Knowledge-Based Systems
An online adaptive approach to alert correlation
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
NPSEC'05 Proceedings of the First international conference on Secure network protocols
A survey on IDS alerts processing techniques
ISP'07 Proceedings of the 6th WSEAS international conference on Information security and privacy
Computer Networks: The International Journal of Computer and Telecommunications Networking
A new alert correlation algorithm based on attack graph
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Behavioural Proximity Discovery: an adaptive approach for root cause analysis
International Journal of Business Intelligence and Data Mining
On-the-fly generalization hierarchies for numerical attributes revisited
SDM'11 Proceedings of the 8th VLDB international conference on Secure data management
Detecting, validating and characterizing computer infections in the wild
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Behavioural proximity approach for alarm correlation in telecommunication networks
MICAI'06 Proceedings of the 5th Mexican international conference on Artificial Intelligence
Attack scenario construction based on rule and fuzzy clustering
CIS'05 Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II
Classification of hidden network streams
DaWaK'06 Proceedings of the 8th international conference on Data Warehousing and Knowledge Discovery
Intrusion detection via analysis and modelling of user commands
DaWaK'05 Proceedings of the 7th international conference on Data Warehousing and Knowledge Discovery
Y-AOI: Y-means based attribute oriented induction identifying root cause for IDSs
FSKD'05 Proceedings of the Second international conference on Fuzzy Systems and Knowledge Discovery - Volume Part II
An alert reasoning method for intrusion detection system using attribute oriented induction
ICOIN'05 Proceedings of the 2005 international conference on Information Networking: convergence in broadband and mobile networking
USAID: unifying signature-based and anomaly-based intrusion detection
PAKDD'05 Proceedings of the 9th Pacific-Asia conference on Advances in Knowledge Discovery and Data Mining
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Cooperative intrusion detection for web applications
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
Spatio-temporal decomposition, clustering and identification for alert detection in system logs
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Multi-layer episode filtering for the multi-step attack detection
Computer Communications
CAFS: a novel lightweight cache-based scheme for large-scale intrusion alert fusion
Concurrency and Computation: Practice & Experience
An alert correlation platform for memory-supported techniques
Concurrency and Computation: Practice & Experience
Analyzing multiple logs for forensic evidence
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Alert correlation using artificial immune recognition system
International Journal of Bio-Inspired Computation
FuzMet: a fuzzy-logic based alert prioritization engine for intrusion detection systems
International Journal of Network Management
A comprehensive vulnerability based alert management approach for large networks
Future Generation Computer Systems
A distributed hebb neural network for network anomaly detection
ISPA'07 Proceedings of the 5th international conference on Parallel and Distributed Processing and Applications
Network specific vulnerability based alert reduction approach
Security and Communication Networks
The use of artificial-intelligence-based ensembles for intrusion detection: a review
Applied Computational Intelligence and Soft Computing
Mobile Agent Based Network Defense System in Enterprise Network
International Journal of Handheld Computing Research
Toward a more practical unsupervised anomaly detection system
Information Sciences: an International Journal
Divided two-part adaptive intrusion detection system
Wireless Networks
Survey A model-based survey of alert correlation techniques
Computer Networks: The International Journal of Computer and Telecommunications Networking
A hybrid heuristic approach for attribute-oriented mining
Decision Support Systems
| Hi-index | 0.00 |
It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusion detection alarms more efficiently. Central to this approach is the notion that each alarm occurs for a reason, which is referred to as the alarm's root causes. This paper observes that a few dozens of rather persistent root causes generally account for over 90% of the alarms that an intrusion detection system triggers. Therefore, we argue that alarms should be handled by identifying and removing the most predominant and persistent root causes. To make this paradigm practicable, we propose a novel alarm-clustering method that supports the human analyst in identifying root causes. We present experiments with real-world intrusion detection alarms to show how alarm clustering helped us identify root causes. Moreover, we show that the alarm load decreases quite substantially if the identified root causes are eliminated so that they can no longer trigger alarms in the future.