Home // ICCGI 2012, The Seventh International Multi-Conference on Computing in the Global Information Technology // View article

A Behavior-Based Method for Rationalizing the Amount of IDS Alert Data

Authors:
Teemu Alapaholuoma
Jussi Nieminen
Jorma Ylinen
Timo Seppälä
Pekka Loula

Keywords: Alert, Detection, Intrusion, Clustering, Snort

Abstract:
Intrusion detection systems typically rely on signatures. A signature describes a rule, which is realized as an alert whenever an IP packet matching the rule is observed in the network by an intrusion detection system. In the configuration phase of a signature based intrusion detection system, the operator usually activates the signatures considered interesting. Interesting typically refers to aberrant traffic and behavior in the network. The classification of signatures as interesting or uninteresting is typically based on prior knowledge about the characteristics of the monitored network. In this paper, we introduce a method based on network behavior for identifying, which alerts and signatures could be considered interesting. Based on the identification, only the signatures labeled as interesting should be activated, in order to rationalize the amount of alert data produced. The method is based on the K-means clustering of intrusion detection system alert data.

Pages: 302 to 307

Copyright: Copyright (c) IARIA, 2012

Publication date: June 24, 2012

Published in: conference

ISSN: 2308-4529

ISBN: 978-1-61208-202-8

Location: Venice, Italy

Dates: from June 24, 2012 to June 29, 2012