Advertisement

Y-AOI: Y-Means Based Attribute Oriented Induction Identifying Root Cause for IDSs

  • Jungtae Kim
  • Gunhee Lee
  • Jung-taek Seo
  • Eung-ki Park
  • Choon-sik Park
  • Dong-kyoo Kim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3614)

Abstract

The attribute oriented induction (AOI) is a kind of aggregation method. By generalizing the attributes of the alert, it creates several clusters that includes a set of alerts having similar or the same cause. However, if the attributes are excessively abstracted, the administrator does not identify the root cause of the attack. In addition, deciding time interval of clustering and deciding min_size are one of the most critical problems. In this paper, we describe about the over-generalization problem because of the unbalanced generalization hierarchy and discuss the solution of the problem. We also discuss problem to decide time interval and meaningful min_size, and propose reasonable method to solve these problems.

Keywords

Intrusion Detection Intrusion Detection System Current Node Discrete Time Interval Decide Time Interval 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (2000)CrossRefMathSciNetGoogle Scholar
  3. 3.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Han, J., Cai, Y.: Data-Driven Discovery of Quantitative Rules in Relational Databases. IEEE Transactions on Knowledge and Data Engineering 5(1), 29–40 (1993)CrossRefGoogle Scholar
  5. 5.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2002)CrossRefGoogle Scholar
  6. 6.
    Julisch, K.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 366–375 (2002)Google Scholar
  7. 7.
    Guan, Y., Ali, A.: Y-MEANS: A Clustering Method for Intrusion Detection. In: Canadian Conference on Electrical and Computer Engineering, pp. 1083–1086 (2003)Google Scholar
  8. 8.
    Hansen, P., Mladenovic, N.: J-means: a new local search heuristic for minimum sum-of-squares clustering. Pattern Recognition 34(2), 405–413 (2002)CrossRefMathSciNetGoogle Scholar
  9. 9.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jungtae Kim
    • 1
  • Gunhee Lee
    • 1
  • Jung-taek Seo
    • 2
  • Eung-ki Park
    • 2
  • Choon-sik Park
    • 2
  • Dong-kyoo Kim
    • 1
  1. 1.Graduate School of Information CommunicationAjou UniversitySuwonKorea
  2. 2.National Security Research InstituteDaejeonKorea

Personalised recommendations