Cohesion Based Algorithm to Manage IDS Alerts

doi:10.16182/j.issn1004731x.joss.201704021

Abstract

Abstract: On the basis of intrusion taxonomies and semantic similarity, the concept of cluster cohesion as well as an algorithm was proposed to manage IDS alerts. Based on cohesion, the proposed approach used improved bisecting K-means to aggregate massive alerts, and extracted the abnormal alerts from clusters formed in aggregation. The experimental results show that the approach is effective in alerts aggregation and abnormal alerts detecting, and can generate understandable meta-alerts with higher accuracy.

Key words: alerts aggregation, anomaly extraction, semantic similarity, cohesion, improved bisecting k-means

CLC Number:

TP309.1

Huang Jinlei, Wang Hengjun, Yu Bin. Cohesion Based Algorithm to Manage IDS Alerts[J]. Journal of System Simulation, 2017, 29(4): 859-864.

References

[1] 穆成坡, 黄厚宽, 田盛丰. 入侵检测系统报警信息聚合与关联技术研究综述[J]. 计算机研究与发展, 2006, 43(1): 1-8.
(Mu Chengpo, Huang Houkuan, Tian Shengfeng.Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques[J]. Computer Research and Development, 2006, 43(1): 1-8.)
[2] 王琢, 范九伦, 刘建华. 入侵检测系统报警信息聚合方法的改进[J]. 计算机工程与应用, 2010, 46(7): 107-109.
(Wang Zhuo, Fan Jiulun, Liu Jianhua.Improved Aggregation Algorithm for Intrusion-Detection Alerts[J]. Computer Engineering and Applications, 2010, 46(7): 107-109.)
[3] 郭帆, 余敏, 叶继华. 一种基于分类和相似度的报警聚合方法[J]. 计算机应用, 2007, 27(10): 2446-2449.
(Guo Fan, Yu Min, Ye Jihua.Alert Aggregation Algorithm Based on Category and Similarity[J]. Computer Applications, 2007, 27(10): 2446-2449.)
[4] Klaus Julisch.Using Root Cause Analysis to Handle Intrusion Detection Alarms [D]. Germany: University Dortmund, 2003.
[5] Saad S, Traore I.A Semantic Analysis Approach to Manage IDS Alerts Flooding[C]// Information Assurance and Security (IAS), 2011 7th International Conference on. USA: IEEE, 2011: 156-161.
[6] Siraj M M, Maarof M A, Hashim S Z M. Intelligent Clustering with PCA and Unsupervised Learning Algorithm in Intrusion Alert Correlation[C]// Information Assurance and Security 2009. Fifth International Conference on. USA: IEEE, 2009, 1: 679-682.
[7] 胥小波, 蒋琴琴, 郑康锋, 等. 基于混沌粒子群的IDS告警聚类算法[J]. 通信学报, 2013, 34(3): 105-110.
(Xu Xiaobo, Jiang Qinqin, Zheng Kangfeng, et al.IDS Alert Clustering Algorithm Based on Chaotic Particle Swarm Optimization[J]. Journal on Communications, 2013, 34(3): 105-110.)
[8] Ahrabi A A A, Navin A H, Bahrbegi H, et al. A New System for Clustering and Classification of Intrusion Detection System Alerts Using Self-Organizing Maps[J]. International Journal of Computer Science and Security (IJCSS)(S1985-1553), 2010, 4(6): 589-597.
[9] Steinbach M, Karypis G, Kumar V.A Comparison of Document Clustering Techniques[J]. KDD Workshop on Text Mining(S2095-2236), 2000, 400(1): 525-526.

[1]	Shi Yanqing, Chen Wei, Yu Bin. Wormhole Attack Detection Scheme Design in ZigBee Network [J]. Journal of System Simulation, 2017, 29(4): 853-858.
[2]	Zhang Xinghao, Huang Yicai, Yu Bin. BLE Key Agreement Scheme Based on RSSI Variation Trend [J]. Journal of System Simulation, 2017, 29(4): 873-879.
[3]	Gong Bi, Yu Bin. Model for Multi-area Interaction Control Based on User Strategy [J]. Journal of System Simulation, 2017, 29(4): 880-885.
[4]	Wang Qilin, Huang Yicai, Yu Bin. Scheme for Detecting DoS Attack in Bluetooth Low Energy [J]. Journal of System Simulation, 2016, 28(6): 1365-1371.
[5]	Zhao Songyin, Yu Bin. Design and Implementation of Secure USB Connection [J]. Journal of System Simulation, 2016, 28(6): 1400-1405.
[6]	Huang Yibo, Huang Yicai, Yu Bin. Design of BLE Key Agreement Scheme Based on Hash Chain [J]. Journal of System Simulation, 2016, 28(6): 1412-1419.
[7]	Huang Meigen, Yu Bin, Kong Zhiyin. Sybil Attack Detection Scheme Design in ZigBee Network [J]. Journal of System Simulation, 2016, 28(6): 1452-1460.
[8]	Zhang Xuesi, Yu Bin. Security Model for Multi-level Interaction Based on Portable Devices [J]. Journal of System Simulation, 2015, 27(4): 755-761.
[9]	Zhou Weiwei, Yue Yuntian, Yu Bin. Research of Multi-factor Identity Authentication Scheme for ZigBee Network Nodes [J]. Journal of System Simulation, 2015, 27(4): 762-769.
[10]	Tong Yu, Cai Jingwen. Two-Point Joint CPA Attacks Against AES and Its Simulation [J]. Journal of System Simulation, 2021, 33(8): 1980-1988.
[11]	Cheng Yuqiao, Fu Zhengxin, Yu Bin. A XOR-based Visual Cryptography Scheme for (2, n) Access Structure with Ideal Structure Division [J]. Journal of System Simulation, 2020, 32(1): 20-26.