Data Mining Applied to Intrusion Detection: MITRE Experiences

Bloedorn, Eric; Talbot, Lisa M.; DeBarr, David

doi:10.1007/1-84628-253-5_5

Cited by 8 publications

(7 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…By combining K-means algorithms and incremental learning decision trees to reduce the FPR, Bloedorn, Talbot and DeBarr [16] improved the MITRE's network security package that generates about 850,000 alerts a day. The results showed that a 71,094 priority 1 alerts in one day were reduced to 1,011 (over a 98% reduction), allowing the analyst to spend more time on unusual alerts and potentially more stealthy attacks, and thus increase the system level security.…”

Section: Related Workmentioning

confidence: 99%

Entropy clustering approach for improving forecasting in DDoS attacks

Olabelurin

Veluru

Healing

et al. 2015

2015 IEEE 12th International Conference on Networking, Sensing and Control

View full text Add to dashboard Cite

Volume anomaly such as distributed denial-of-service (DDoS) has been around for ages but with advancement in technologies, they have become stronger, shorter and weapon of choice for attackers. Digital forensic analysis of intrusions using alerts generated by existing intrusion detection system (IDS) faces major challenges, especially for IDS deployed in large networks. In this paper, the concept of automatically sifting through a huge volume of alerts to distinguish the different stages of a DDoS attack is developed. The proposed novel framework is purposebuilt to analyze multiple logs from the network for proactive forecast and timely detection of DDoS attacks, through a combined approach of Shannon-entropy concept and clustering algorithm of relevant feature variables. Experimental studies on a cyber-range simulation dataset from the project industrial partners show that the technique is able to distinguish precursor alerts for DDoS attacks, as well as the attack itself with a very low false positive rate (FPR) of 22.5%. Application of this technique greatly assists security experts in network analysis to combat DDoS attacks. Index Terms-alert management, distributed denial-of-service (DDoS) detection, k-means clustering analysis, network security, online anomaly detection, Shannon entropy.

show abstract

Section: Related Workmentioning

confidence: 99%

Entropy clustering approach for improving forecasting in DDoS attacks

Olabelurin

Veluru

Healing

et al. 2015

2015 IEEE 12th International Conference on Networking, Sensing and Control

View full text Add to dashboard Cite

show abstract

“…The main function of the model that we are interested in is classification, as normal, or malicious, or as a particular type of attack [9]. We are also interested in link and sequence analysis [10]. Additionally, data mining systems provide the means to easily perform data summarization and visualization, aiding the security analyst in identifying areas of concern [10].…”

Section: Data Mining and Nidsmentioning

confidence: 99%

“…We are also interested in link and sequence analysis [10]. Additionally, data mining systems provide the means to easily perform data summarization and visualization, aiding the security analyst in identifying areas of concern [10]. The models must be represented in some form.…”

Section: Data Mining and Nidsmentioning

confidence: 99%

Study of Data Mining Based Approaches For Network Intrusion Detection System

Shukla

Yadav

2015

SMSJ

View full text Add to dashboard Cite

In the current era, there is ample knowledge in using Internet in social networks (such as instant messaging, video conferencing, etc.), the field of healthcare, various areas related to electronic commerce, banking, and services several other fields. As computer systems based on the network plays an ever more important in modern society once they have become the target of our enemies and criminals. Therefore, we must find the best way to protect our systems. The security of a computer system is compromised during an intrusion occurs. Intrusion can be defined as “a set of actions that aim to compromise the integrity, confidentiality or availability of a resource,” for example, illegally obtain superuser privileges to attack and make out of the system (ie, Denial of Service), etc. The purpose of this document is to provide a study of some works that use data mining techniques to detect intrusions and answer some technical questions. An advance effective idea is discussed in the chapter that will detect intruders in a data storage perspective and integrate data mining and online analytical processing (OLAP) for the purpose of intrusion detection.

show abstract

“…Οι κανόνεσ ορίηονται με διαφορετικά χαρακτθριςτικά όπωσ διεφκυνςθ αποςτολζα, διεφκυνςθ παραλιπτθ, κφρα επικοινωνίασ, flags, όρια κίνθςθσ, κ.ά. Ζνα μεγάλο πρόβλθμα ςε πολλά ςυςτιματα είναι πωσ ο οριςμόσ των κανόνων είναι μια δφςκολθ και λεπτι διεργαςία και εμπεριζχει ψεφτικοφσ ςυναγερμοφσ (false positive alarm) και χαμζνεσ επικζςεισ (missed detection) [56], [57].…”

Section: η βϊςη δεδομϋνων του συςτόματοσunclassified

“…Αρκετι ζρευνα επικεντρϊνεται ςτθν ανάλυςθ των ακολουκιϊν κυκλοφορίασ κάνοντασ χριςθ τεχνικϊν Data Mining για τθν περιγραφι μοντζλων ανίχνευςθσ ανωμαλιϊν [56], [58], [52], [59], [60], [61], [62], [63].…”

Section: η βϊςη δεδομϋνων του συςτόματοσunclassified

Μοντέλα Ασυνήθους Δικτυακής Κυκλοφορίας Σε TCP/IP Δικτυακά Υπολογιστικά Περιβάλλοντα

Κομνηνός¹

View full text Add to dashboard Cite

In this PhD Thesis we developed models for the abnormal network traffic based on TCP/IP communication protocol of computer systems, and the behavior of systems and users under viruses and worms attacks. For the development we combined mathematical formalism on real attributes that characterize almost all attacking efforts of hackers, virus and worms against comput-ers and networking systems. Our main goal was based upon the theoretic models we proposed, to provide a use-ful tool to deal with intrusions. Thus we developed a Software Tool for Distributed Intrusion Detection in Computer Networks (PODC-2004, 23rd ACM SIGART-SIGOPS, Canada, Best presentation award). Based on an improved model we produced a real time distributed detection system of network attacks (International Journal of Com-puter Science and Network Security, VOL.6, No.7, July 2006) that is installed in West-ern Greece Region as a peripheral distributed system for early warning administra-tors of worm and virus propagation and hackers’ attacks. This work is funded by the Greek General Secretariat of Research and Technology under the Regional Program of Innovative Actions. Also in this work we propose a discrete worm rapid propagation model based on so-cial networks that are built using the address book of e-mail and instant messaging clients using the mathematic formalism of Constraint Satisfaction Problems (CSP). The address book, which reflects the acquaintance profiles of people, is used as a “hit-list”, to which the worm can send itself in order to spread fast. We also model user reaction against infected email as well as the rate at which antivirus software is installed. We then propose a worm propagation formulation based on a token prop-agation algorithm, further analyzed with a use of a system of continuous differential equations, as dictated by Wormald’s theorem on approximating “well-behaving” random processes with deterministic functions. Finally in this work we present a virus propagation and elimination model that takes into account the traffic and server characteristics of the network computers. This model partitions the network nodes into perimeter and non-perimeter nodes. In-coming/outgoing traffic of the network passes through the perimeter of the net-work, where the perimeter is defined as the set of the servers which are connected directly to the internet. All network nodes are assumed to process tasks based on the M/M/1 queuing model. We study burst intrusions (e.g. Denial of Service Attacks) at the network perimeter and we propose a kind of interaction between these agents that results using the formalism of distribution of network tasks for Jackson open networks of queues

show abstract

Data Mining Applied to Intrusion Detection: MITRE Experiences

Cited by 8 publications

References 0 publications

Entropy clustering approach for improving forecasting in DDoS attacks

Entropy clustering approach for improving forecasting in DDoS attacks

Study of Data Mining Based Approaches For Network Intrusion Detection System

Μοντέλα Ασυνήθους Δικτυακής Κυκλοφορίας Σε TCP/IP Δικτυακά Υπολογιστικά Περιβάλλοντα

Contact Info

Product

Resources

About