Time series modeling for IDS alert management

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Time series modeling for IDS alert management

Full text

Pdf (373 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 2006 ACM Symposium on Information, computer and communications security table of contents

Taipei, Taiwan

SESSION: Intrusion detection and modeling table of contents

Pages: 102 - 113

Year of Publication: 2006

ISBN:1-59593-272-0

Authors

Jouni Viinikka	France Telecom, BP, Caen Cedex, France
Hervé Debar	France Telecom, BP, Caen Cedex, France
Ludovic Mé	Supélec, BP, Cesson Sévigné Cedex, France
Renaud Séguier	Supélec, BP, Cesson Sévigné Cedex, France

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 14, Downloads (12 Months): 166, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1128817.1128835 What is a DOI?

ABSTRACT

Intrusion detection systems create large amounts of alerts. Significant part of these alerts can be seen as background noise of an operational information system, and its quantity typically overwhelms the user. In this paper we have three points to make. First, we present our findings regarding the causes of this noise. Second, we provide some reasoning why one would like to keep an eye on the noise despite the large number of alerts. Finally, one approach for monitoring the noise with reasonable user load is proposed. The approach is based on modeling regularities in alert flows with classical time series methods. We present experimentations and results obtained using real world data.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Stefan Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, Proceedings of the 6th ACM conference on Computer and communications security, p.1-7, November 01-04, 1999, Kent Ridge Digital Labs, Singapore [doi>10.1145/319709.319710]
	2	Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637210]
	3	Peter J Brockwell , Richard A Davis, Time series: theory and methods, Springer-Verlag New York, Inc., New York, NY, 1986
	4	P. J. Brockwell and R. A. Davis. Introduction to time series and forecasting. Springer Texts in Statistics, 2002.
	5	H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. of the RAID'02. Springer--Verlag, 2002.
	6	Hervé Debar , Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.85-103, October 10-12, 2001
	7	K. Julisch, Mining Alarm Clusters to Improve Alarm Handling Efficiency, Proceedings of the 17th Annual Computer Security Applications Conference, p.12, December 10-14, 2001
	8	Klaus Julisch , Marc Dacier, Mining intrusion detection alarms for actionable knowledge, Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 23-26, 2002, Edmonton, Alberta, Canada [doi>10.1145/775047.775101]
	9	C. Kruegel and W. Robertson. Alert verification: Determining the success of intrusion attempts. In Proc. of the DIMVA '04, Dortmund, Germany, July 2004.
	10	G. M. Ljung and G. E. P. Box. On a Measure of Lack of Fit in Time Series Models. Biometrica, 65(2): 297--303, Aug. 1978.
	11	V. A. Mahadik, X. Wu, and D. S. Reeves. Detection of Denial of QoS Attacks Based on X2 Statistic and EWMA Control Chart. URL: http://arqos.csc.ncsu.edu/papers.htm, Feb. 2002.
	12	S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz. A Data Mining Analysis of RTID Alarms. RAID'99, 1999.
	13	H. Mannila, H. Toivonen, and A. I. Virkamo. Discovering Frequent Episodes in Sequences. In Proc. of the KDD'95, 1995.
	14	P. A. Porras, M. W. Fong, and A. Valdes. A Mission-Impact-Based Approach to INFOSEC Alarm Correlation. In Proc. of the RAID'02. Springer--Verlag, 2002.
	15	X. Qin and W. Lee. Statistical Causality Analysis of INFOSEC Alert Data. In Proc. of the RAID'03. Springer--Verlag, 2003.
	16	Alfonso Valdes , Keith Skinner, Probabilistic Alert Correlation, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.54-68, October 10-12, 2001
	17	J. Viinikka and H. Debar. Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information. In Proc. of the RAID'04, Springer--Verlag, 2004.
	18	N. Ye, C. Borror, and Y. Chang. EWMA Techniques for Computer Intrusion Detection Through Anomalous Changes In Event Intensity. Quality and Reliability Engineering International, 18:443--451, 2002.
	19	N. Ye, S. Vilbert, and Q. Chen. Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data. IEEE Transactions on Reliability, 52(1):75--82, Mar. 2003.