Abstract
Malwares are spread all over cyberspace and often lead to serious security incidents. To grasp the present trends of malware activities, there are a number of ongoing network monitoring projects that collect large amount of data such as network traffic and IDS logs. These data need to be analyzed in depth since they potentially contain critical symptoms, such as an outbreak of new malware, a stealthy activity of botnet and a new type of attack on unknown vulnerability, etc. We have been developing the Network Incident analysis Center for Tactical Emergency Response (NICTER), which monitors a wide range of networks in real-time. The NICTER deploys several analysis engines taking advantage of data mining techniques in order to analyze the monitored traffics. This paper describes a brief overview of the NICTER, and its data mining based analysis engines, such as Change Point Detector (CPD), Self-Organizing Map analyzer (SOM analyzer) and Incident Forecast engine (IF).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Song, D., Malan, R., Stone, R.: A Snapshot of Global Internet Worm Activity. In: 14th Annual FIRST Conference on Computer Security Incident Handling and Response (2002)
Moore, D.: Network Telescopes: Tracking Denial-of-Service Attacks and Internet Worms around the Globe. In: 17th Large Installation Systems Administration Conference (LISA 2003), USENIX (2003)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In: 12th Annual Network and Distributed System Security Symposium (NDSS 2005) (2005)
Pouget, F., Dacier, M., Pham, V.H.: Leurre.com: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform. In: E-Crime and Computer Conference (ECCE 2005) (2005)
Leita, C., Pham, V.H., Thonnard, O., Ramirez-Silva, E., Pouget, F., Kirda, E., Dacier, M.: The Leurre.com Project: Collecting Threats Information using a Worldwide Distributed Honeynet. In: WOMBAT Workshop on Information Security Threats Data Collection and Sharing (WISTDCS 2008), pp. 40–57 (2008)
REN-ISAC: Research and Education Networking Information Sharing and Analysis Center, http://www.ren-isac.net/
Horenbeeck, M.V.: The SANS Internet Storm Center. In: WOMBAT Workshop on Information Security Threats Data Collection and Sharing (WISTDCS 2008), pp. 17–23 (2008), http://isc.sans.org/
JPCERT/CC, Internet Scan Data Acquisition System (ISDAS), http://www.jpcert.or.jp/isdas/
@police, http://www.cyberpolice.go.jp/detect/observation.html
WCLSCAN, http://www.wclscan.org/
Nakao, K., Yoshioka, K., Inoue, D., Eto, M.: A Novel Concept of Network Incident Analysis based on Multi-layer Observations of Malware Activities. In: The 2nd Joint Workshop on Information Security (JWIS 2007), pp. 267–279 (2007)
Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: An Incident Analysis System toward Binding Network Monitoring with Malware Analysis. In: WOMBAT Workshop on Information Security Threats Data Collection and Sharing (WISTDCS 2008), pp. 58–66 (2008)
Yamanishi, K., Takeuchi, J.: A Unifying Approach to Detecting Outliers and Change-Points from Nonstationary Data. In: The Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2002). ACM Press, New York (2002)
Takeuchi, J., Yamanishi, K.: A Unifying Framework for Detecting Outliers and Change-points from Time Series. IEEE Trans. on Knowledge and Data Engineering 18(4), 482–492 (2006)
Ohkouchi, K., Rikitake, K., Nakao, K.: A Study on Network Incident Analysis Using Self-Organizing Maps. In: The 2006 Symposium on Cryptography and Information Security (SCIS 2006) (2006)
Nishino, E., Ishitobi, K., Takeuchi, J., Yoshioka, K., Eto, M., Inoue, D., Nakao, K.: Forecast and Detection of Security Incident Based on the Network Traffic. In: The 30th Symposium on Information Theory and its Application (SITA 2007) (2007)
Percival, D.B., Walden, A.T.: Wavelet Methods for Time Series Analysis. Cambridge University Press, Cambridge (2000)
Daoudi, K., Frakt, A.B., Willsky, A.S.: Multiscale Autoregressive Models and Wavelets. IEEE Trans. on Information Theory 45(3), 828–845 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Inoue, D. et al. (2009). An Incident Analysis System NICTER and Its Analysis Engines Based on Data Mining Techniques. In: Köppen, M., Kasabov, N., Coghill, G. (eds) Advances in Neuro-Information Processing. ICONIP 2008. Lecture Notes in Computer Science, vol 5506. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02490-0_71
Download citation
DOI: https://doi.org/10.1007/978-3-642-02490-0_71
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02489-4
Online ISBN: 978-3-642-02490-0
eBook Packages: Computer ScienceComputer Science (R0)