Sin Mun Seon , Mun Ho Seong , Lyu Geun Ho , Jang Jong Su

The KIPS Transactions:PartC, Vol. 10, No. 6, pp. 665-674, Oct. 2003
10.3745/KIPSTC.2003.10.6.665,   PDF Download:

Abstract

In this paper, we propose an approach to correlate alerts using a clustering analysis of data mining techniques in order to support intrusion detection system. Intrusion detection techniques have been developed to protect computer and network systems against malicious attacks. However, intrusion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks or variations of known attacks without generating a large amount of false alerts. In addition, all the current intrusion detection systems focus on low-level attacks or anomalies. Consequently, the intrusion detection systems usually generate a large amount of alerts. In situations where there are intensive intrusive actions, it is difficult for users or intrusion response systems to understand the intrusion behind the alerts and take appropriate actions. The clustering analysis groups data objects into clusters such that objects belonging to the same cluster are similar, while those belonging to different ones are dissimilar. As using clustering technique, we can analyze alert data efficiently and extract high-level knowledge about attacks. Namely, it is possible to classify new type of alerts as well as existed. And it helps to understand logical steps and strategies behind series of attacks using sequences of clusters, and can potentially be applied to predict attacks in progress.

Statistics
Cite this article