Research of Intrusion Alert Aggregation Based on Spatial and Temporal Density

Abstract

Abstract: Distributed Intrusion Detection System has created the problem to investigate a mass of duplicate alerts and high false positive rate in practical applications. Based on DBSCAN, density based spatial and temporal clustering of applications with noise (DBS&TCAN) algorithm was proposed by introducing temporal density. The approach aggregated partial alerts based on spatial density, and merges partial aggregation on the basis of temporal density. The effectiveness of the algorithm was demonstrated by the intrusion detection evaluation dataset. The comparative experiments and analysis show that the algorithm is effective in alert aggregation and gives better results in terms of real time.

Key words: Intrusion detection system, alert aggregation, temporal density, DBSCAN, DBS&TCAN;, real time

CLC Number:

TP393.08

Zhang Jing, Wang Hengjun, Li Junquan, Yu Bin. Research of Intrusion Alert Aggregation Based on Spatial and Temporal Density[J]. Journal of System Simulation, 2016, 28(6): 1336-1343.

References

[1] 卿斯汉, 蒋建春, 马恒太, 等. 入侵检测技术研究综述[J]. 通信学报, 2004, 25(7): 19-29.
[2] 穆成坡, 黄厚宽, 田盛丰. 入侵检测系统报警信息聚合与关联技术研究综述[J]. 计算机研究与发展, 2006, 43(1): 1-8.
[3] T Kanungo, N S Netanyahu, A Y Wuan.An Efficient k-Means Clustering Algorithm: Analysis and Implementation[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence(S0162-8828), 2002, 24(7): 881-892.
[4] Hadi Bahrbegi, Ahmad Habibizad Navin, Amir Azimi Alasti Ahrabi. A New System to Evaluate GA-based Clustering Algorithms in Intrusion Detection Alert Management[C]// 2010 Second World Congress on Nature and Biologically Inspired Computing. Kitakyushu (Japan): Institute of Electrical and Electronics Engineers( IEEE ), 2010: 115-120.
[5] A Hofmann, D Fisch, B Sick.Identifying Attack Instances by Alert Clustering[C]// Proc. IEEE Three-Rivers Workshop Soft Computing in Industrial Applications. USA: IEEE, 2007: 25-31.
[6] G C Tjhai, S M Furnell, M Papadaki, et al.Preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm[J]. Computers & Security(S0167-4048), 2011, 29(6): 712-723.
[7] Emmanuel Hooper.An Intelligent Intrusion Detection and Response System Using Hybrid Ward Hierarchical Clustering Analysis[C]// Multimedia and Ubiquitous Engineering. Crete(Greece): Institute of Electrical and Electronics Engineers( IEEE ), 2010: 1187-1192.
[8] C Tsai, C C Yen.Unsupervised Anomaly Detection Using HDG-Clustering Algorithm[C]// Neural Information Processing, Germany: Springer Berlin (Heidelberg), 2009: 356-365.
[9] M Ester, H P Kriegal, J Sander, et al.A density-based algorithm for discoverying clusters in large spatial databases with noise [C]// KDD96 Proceedings of 2nd International Conference on Knowledge Discovery and Data Mining. Portland(Oregon): AAAI Press, 1996, 96(34): 226-231.
[10] Tran Manh Thang, Juntae Kim.The Anomaly Detection by Using DBSCAN Clustering with Multiple Parameters[C]// Information Science and Applications (ICISA), 2011 International Conference (IEEE). USA: IEEE, 2011: 1-5.
[11] Alexander Hofmann, Bernhard Sick.Online Intrusion Alert Aggregation with Generative Data Stream Modeling[J]. IEEE Transactions on Dependable and Secure Computing(S1545-5971), 2011, 8(2): 282-294.
[12] Xfocus Team. Bro: 一个开放源码的高级NIDS系统. [EB/OL]. (2003-10-12) [2015-04-29]. http://www.xfocus. net/articles/200310/624.html.
[13] M V Mahoney, P K Chan.Learning rules for anomaly detection of hostile network traffic [C]// Proc. 3rd IEEE Int’l Conf. Data Mining Los Alamitos, CA, USA. USA: IEEE Computer Society Press, 2003: 601-604.
[14] Caswell B, Roesch M. Snort: The open source network intrusion detection system [EB/OL]. (2009-04-21) [2015-04-29]. http://www.snort.org/
[15] 穆成坡, 黄厚宽, 田盛丰. 入侵报警管理与入侵响应系统&中的自适应报警聚合[J]. 计算机科学, 2007, 34(12): 73-77.
[16] 胥小波, 蒋琴琴, 郑康锋, 等. 基于混沌粒子群的告警聚类算法[J]. 通信学报, 2013, 34(3): 105-110.