The visual display of quantitative information
The visual display of quantitative information
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
A data mining analysis of RTID alarms
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Constructing attack scenarios through correlation of intrusion alerts
Proceedings of the 9th ACM conference on Computer and communications security
Probabilistic Alert Correlation
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Mining intrusion detection alarms for actionable knowledge
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
Minimizing Binding Errors Using Learned Conjunctive Features
Neural Computation
An intelligent, interactive tool for exploration and visualization of time-oriented security data
Proceedings of the 3rd international workshop on Visualization for computer security
Using Time Series 3D AlertGraph and False Alert Classification to Analyse Snort Alerts
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
A Component-Based Framework for Visualization of Intrusion Detection Events
Information Security Journal: A Global Perspective
Maintaining defender's reputation in anomaly detection against insider attacks
IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics - Special issue on game theory
Envisioning grid vulnerabilities: multi-dimensional visualization for electrical grid planning
Proceedings of the International Working Conference on Advanced Visual Interfaces
Information Systems Frontiers
Visualizing PHPIDS log files for better understanding of web server attacks
Proceedings of the Tenth Workshop on Visualization for Cyber Security
Hi-index | 0.00 |
The massive volume of intrusion detection system (IDS) alarms generated on large networks, and the resulting need for labor-intensive security analysis of the text-based IDS alarm logs, has recently brought into question the cost-effectiveness of IDSs. In particular, when host-based IDSs are used to monitor an organization's internal networks, the majority of the resulting alarms represent legitimate, automated system administration. Because of the absence of ground truth about known attacks, we propose an unsupervised, anomaly-based method for automatically distinguishing alarms that are potentially generated by malicious insider attacks, from the repetitive and temporally structured legitimate system-administration alarms. The majority of previous work in this area has used heuristic and statistical filtering techniques to discard a relatively large proportion of alarms in the final presentation to the security analyst, which is a potentially dangerous practice. Instead, we demonstrate the use of a typicality measure to visualize the apparent risk associated with alarms, while retaining information about the temporal context of the entire alarm stream for the analyst to view. The relevance of the statistical method is examined by comparing the results to a set of analyst-curated alarms from an operational environment.