It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusion detection alarms more efficiently. Central to this approach is the notion that each alarm occurs for a reason, which is referred to as the alarm’s root causes. This paper observes that a few dozens of rather persistent root causes generally account for over 90 % of the alarms that an intrusion detection system triggers. Therefore, we argue that alarms should be handled by identifying and removing the most predominant and persistent root causes. To make this paradigm practicable, we propose a novel alarm-clustering method that supports the human analyst in identifying root causes. We present experiments with real-world intrusion detection alarms to show how alarm clustering helped us identify root causes. Moreover, we show that the alarm load decreases quite substantially if the identified root causes are eliminated so that they can no longer trigger alarms in the future.
|
1640
|
Computational Complexity
– Papadimitriou
- 1994
|
|
1486
|
Algorithms for Clustering Data
– Jain, Dubes
- 1988
|
|
893
|
Data Mining, Concepts and Techniques
– Han, Kamber
- 2001
|
|
859
|
Computer Networks
– Tanenbaum
|
|
419
|
A System for Detecting Network Intruders in RealTime
– PAXSON
- 1999
|
|
413
|
Cluster Analysis for Applications
– Anderberg
- 1975
|
|
397
|
Automatic subspace clustering of high dimensional data for data mining applications
– AGRAWAL, GEHRKE, et al.
- 1998
|
|
327
|
An information-theoretic definition of similarity
– Lin
- 1998
|
|
308
|
Supervised and unsupervised discretization of continuous features
– Dougherty, Kohavi, et al.
- 1995
|
|
219
|
Semantic Similarity in a Taxonomy: An Information-Based Measure and its Application to Problems of Ambiguity in Natural Language
– Resnik
- 1999
|
|
194
|
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks Whitepaper
– Ptacek, Newsham
- 1998
|
|
184
|
Development and application of a metric on semantic nets
– Rada
- 1989
|
|
154
|
Data-driven discovery of quantitative rules in relational databases
– Han, Cai, et al.
- 1993
|
|
134
|
Dependability: Basic concepts and terminology
– Laprie
- 1992
|
|
128
|
Knowledge discovery in databases: An attribute-oriented approach
– Han, Cai, et al.
- 1992
|
|
119
|
Adaptive fraud detection
– Fawcett, Provost
- 1997
|
|
117
|
Alert correlation in a cooperative intrusion detection framework
– Cuppens, Miège
- 2002
|
|
114
|
Classification and Detection of Computer Intrusions
– Kumar
- 1995
|
|
109
|
Testing Intrusion Detection Systems: A Critique of the 1998 and 199 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory
– McHugh
- 2000
|
|
109
|
Practical Automated Detection of Stealthy Portscans
– STANIFORD, HOAGLAND, et al.
- 2002
|
|
106
|
Combinatorial pattern discovery in biological sequnce: the TEIRESIAS algorithm
– Rigoutsos, Floratos
- 1998
|
|
104
|
A Framework for Constructing Features and Models for Intrusion Detection System
– Lee
|
|
100
|
Probabilistic alert correlation
– VALDES, SKINNER
- 2001
|
|
85
|
Aggregation and Correlation of IntrusionDetection Alerts
– Debar, Wespi
|
|
84
|
High Speed and Robust Event Correlation
– Alexander, Kliger, et al.
- 1996
|
|
76
|
Toward scalable learning with non-uniform class and cost distributions
– Chan, Stolfo
- 1998
|
|
69
|
State of the Practice of Intrusion Detection Technologies
– Allen, Christie, et al.
- 2000
|
|
65
|
Alarm correlation
– JAKOBSON, WEISSMAN
- 1993
|
|
56
|
Association Rules over Interval Data
– Miller, Yang
- 1997
|
|
51
|
Alarm correlation and fault identification in communication networks
– Bouloutas, Calo, et al.
- 1994
|
|
50
|
Detecting Novel Network Intrusions Using Bayes Estimators
– Barbara, Wu, et al.
- 2001
|
|
49
|
Managing alerts in a multi-intrusion detection environment
– Cuppens
|
|
49
|
Dynamic generation and refinement of concept hierarchies for knowledge discovery in databases
– Han, Fu
- 1994
|
|
48
|
Intrusion Detection
– Bace
|
|
42
|
The base-rate fallacy and the difficulty of intrusion detection
– Axelsson
- 2000
|
|
39
|
A probabilistic causal model for diagnostic problem solving -- Part 2: Diagnostic strategy
– Peng
- 1987
|
|
36
|
Fusing a Heterogeneous Alert Stream Into Scenarios
– Dain, Cunningham
|
|
36
|
Real-time telecommunication network management: Extending event correlation with temporal constraints
– Jakobson, Weissman
- 1995
|
|
36
|
Event Correlation Using Rule and Object Based Techniques
– Nygate
- 1995
|
|
35
|
A case-based reasoning approach for the resolution of faults in communication networks
– Lewis
- 1993
|
|
34
|
Mining alarm clusters to improve alarm handling efficiency
– JULISCH
|
|
33
|
Mining Intrusion Detection Alarms for Actionable Knowledge
– K, Dacier
- 2008
|
|
33
|
Languages and Tools for Rule-Based Distributed Intrusion Detection, Facult es Universitaires Notre-Dame de la Paix
– Mounji
- 1997
|
|
32
|
A data mining analysis of RTID alarms
– Manganaris, Christensen, et al.
- 1999
|
|
30
|
A High-Performance Network Intrusion Detection System
– Sekar, Guang, et al.
- 1999
|
|
25
|
Packets Found on an Internet
– Bellovin
- 1993
|
|
22
|
A lightweight tool for detecting web server attacks
– Almgren, Debar, et al.
|
|
22
|
Towards a practical alarm correlation system
– HOUCK, CALO, et al.
- 1995
|
|
22
|
Clustering validation: results and implications for applied analysis, in Clustering and Classification
– Milligan
- 1996
|
|
19
|
A revised taxonomy for intrusion detection systems. Annales des Telecommunications
– Debar, Dacier, et al.
- 2000
|
