GENERATING SECURITY EVENT CORRELATION RULES THROUGH K-MEANS CLUSTERING

Nelson Uto, Helen Teixeira, Andre Blazko, Marcos Ferreira de Paula, Renata Cicilini Teixeira, Mamede Lima Marques

Abstract

Current implementations of intrusion detection systems (IDSs) have two drawbacks: 1) they normally generate far too many false positives, overloading human operators to such an extent that they can not respond effectively to the real alerts; 2) depending on the proportion of genuine attacks within the total network traffic, an IDS may never be effective. One approach to overcoming these obstacles is to correlate information from a wide variety of networks sensors, not just IDSs, in order to obtain a more complete picture on which to base decisions as to whether alerted events represent malicious activity or not. The challenge in such an analysis is the generation of the correlation rules that are to be used. At present, creating these rules is a time consuming manual task that requires expert knowledge. This work describes how data mining, specifically the k-means clustering technique, can be employed to assist in the semi-automatic generation of such correlation rules.

References

  1. Axelsson, S. (1999). The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of the 6th ACM Conference on Computer and Communications Security, pages 1-7.
  2. Brugger, S. T. (2004). Data mining methods for network intrusion detection. http: //www.bruggerink.com/~zow/papers/ brugger dmnid survey.pdf.
  3. Burns, L., Hellerstein, J. L., Ma, S., Peng, C. S., Rabenhorst, D. A., and Taylor, D. (2000). A systematic approach to discovering correlation rules for event management. IBM Research Report RC 21847, IBM.
  4. Debar, H., Curry, D., and Feinstein, B. (2005). The intrusion detection message exchange format. http://www.ietf.org/internet-drafts/draft-ietfidwg-idmef-xml-14.txt.
  5. Drew, S. (2003). Intrusion detection faq - what is the role of security event correlation in intrusion detection? http://www.sans.org/resources/idfaq/role.php.
  6. Han, J. and Kamber, M. (2000). Data Mining: Concepts and Techniques. Morgan Kaufmann.
  7. Jiang, G. and Cybenko, G. (2004). Temporal and spatial distributed event correlation for network security. In Proc. of American Control Conf., pages 996-1001.
  8. Kreibich, C. and Crowcroft, J. (2004). Honeycomb - creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev., 34(1):51-56.
  9. Manganaris, S., Christensen, M., Zerkle, D., and Hermiz, K. (2000). A data mining analysis of rtid alarms. Computer Networks: The International Journal of Computer and Telecommunications Networking, 34(4):571-577.
  10. Morin, B. and Debar, H. (2003). Correlation of intrusion symptoms: an application of chronicles. In RAID 2003, volume 2820 of LNCS, pages 94-112. Springer.
  11. Ning, P., Cui, Y., and Reeves, D. S. (2002). Analyzing intensive intrusion alerts via correlation. In RAID 2002, volume 2516 of LNCS, pages 74-94. Springer.
  12. Yemini, S. A., Kliger, S., Mozes, E., Yemini, Y., and Ohsie, D. (1996). High speed and robust event correlation. IEEE Communications Magazine, 34(5):82-90.
  13. Yin, X., Lakkaraju, K., Li, Y., and Yurcik, W. (2003). Selecting log data sources to correlate attack traces for computer network security: Preliminary results. In Proc. of the 11th Intl. Conference on Telecommunication Systems, Modeling and Analysis (ICTSM11).
Download


Paper Citation


in Harvard Style

Uto N., Teixeira H., Blazko A., Ferreira de Paula M., Cicilini Teixeira R. and Lima Marques M. (2005). GENERATING SECURITY EVENT CORRELATION RULES THROUGH K-MEANS CLUSTERING . In Proceedings of the Second International Conference on e-Business and Telecommunication Networks - Volume 1: ICETE, ISBN 972-8865-32-5, pages 376-381. DOI: 10.5220/0001417903760381


in Bibtex Style

@conference{icete05,
author={Nelson Uto and Helen Teixeira and Andre Blazko and Marcos Ferreira de Paula and Renata Cicilini Teixeira and Mamede Lima Marques},
title={GENERATING SECURITY EVENT CORRELATION RULES THROUGH K-MEANS CLUSTERING},
booktitle={Proceedings of the Second International Conference on e-Business and Telecommunication Networks - Volume 1: ICETE,},
year={2005},
pages={376-381},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001417903760381},
isbn={972-8865-32-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Second International Conference on e-Business and Telecommunication Networks - Volume 1: ICETE,
TI - GENERATING SECURITY EVENT CORRELATION RULES THROUGH K-MEANS CLUSTERING
SN - 972-8865-32-5
AU - Uto N.
AU - Teixeira H.
AU - Blazko A.
AU - Ferreira de Paula M.
AU - Cicilini Teixeira R.
AU - Lima Marques M.
PY - 2005
SP - 376
EP - 381
DO - 10.5220/0001417903760381