標題: A decision support system for constructing an alert classification model
作者: Jan, Nien-Yi
Lin, Shun-Chieh
Tseng, Shian-Shyong
Lin, Nancy P.
資訊工程學系
Department of Computer Science
關鍵字: Decision support system;Alert classification;Sequential pattern mining;Intrusion detection;Model construction
公開日期: 1-Oct-2009
摘要: As the rapid growth of network attacking tools, patterns of network intrusion events change gradually. Although many researches had been proposed to analyze network intrusion behaviors in accordance with low-level network data, they still suffer a large mount of false alerts and result in difficulties for network administrators to discover useful information from these alerts. To reduce the load of administrators, by collecting and analyzing unknown attack sequences systematically, administrators can do the duty of fixing the root causes. Due to the different characteristics of each intrusion, none of analysis methods can correlate IDS alerts precisely and discover all kinds of real intrusion patterns. Therefore, an alert-based decision support system is proposed in this paper to construct an alert classification model for on-line network behavior monitoring. The architecture of decision support system consists of three phases: Alert Preprocessing Phase, Model Constructing Phase and Rule Refining Phase. The Alert Processing Phase is used to transform IDS alerts into alert transactions with specific data format as alert subsequences, where an alert sequence is a kind of well-aggregated alert transaction format to discover intrusion behaviors. Besides, the Model Constructing Phase is used to construct three kinds of rule classes: normal rule classes, intrusion rule classes and suspicious rule classes, to filter false alert patterns and analyze each existing or unknown alert patterns; each rule class represents a set of classification rules. Normal rule class, a set of false alert classification rules, can be trained by using sequential pattern mining approach in an attack-free environment. Intrusion rule classes, a set of known intrusion classification rules, and suspicious rule classes, a set of novel intrusion classification rules, can be trained in a simulated attacking environment using several well-known rootkits and labeling by experts. Finally, the Rule Refining Phase is used to change the classification flags of alert sequence across different time intervals. According to the urgent situations of different levels, Network administrators can do event protecting or vulnerability repairing, even or cause tracing of attacks. Therefore, the decision support system can prevent attacks effectively, find novel attack patterns exactly and reduce the load of administrators efficiently. Crown Copyright (C) 2009 Published by Elsevier Ltd. All rights reserved.
URI: http://dx.doi.org/10.1016/j.eswa.2009.02.097
http://hdl.handle.net/11536/6606
ISSN: 0957-4174
DOI: 10.1016/j.eswa.2009.02.097
期刊: EXPERT SYSTEMS WITH APPLICATIONS
Volume: 36
Issue: 8
起始頁: 11145
結束頁: 11155
Appears in Collections:Articles


Files in This Item:

  1. 000267179500039.pdf