Mining intrusion detection alarms for actionable knowledge

Klaus Julisch, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

202 Scopus citations

Abstract

In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.
Original languageEnglish (US)
Title of host publicationProceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining
PublisherAssociation for Computing Machinery (ACM)
Pages366-375
Number of pages10
DOIs
StatePublished - Jan 1 2002
Externally publishedYes

Fingerprint

Dive into the research topics of 'Mining intrusion detection alarms for actionable knowledge'. Together they form a unique fingerprint.

Cite this