Guessing strategy for improving intrusion detections

Abstract: Intrusion detectors isolate intrusions based on allowable and disallowable activities. The disallowable policy enforcers will alert only on events that are known to be bad while the allowable policy enforcer will alert on events that deviate from those that have been classified as good. However, these trade-offs become difficult to balance in a recent time due to the complexity of computer attacks. Accordingly, intrusion detectors generate tons of alerts that may signify realistic and false attacks. Most often… Show more

“…Researches have shown that intrusion detectors can flag alerts on intrusive packets that expire before they reach destination machines [9,10,13]. One of the reasons behind this is that allowable events can be defined in many respects.…”

“…Therefore, this paper extends our previous findings on the application of category utility function to evaluate clustering algorithms that are designed to process intrusion logs [10]. Category utility function has been defined in [5] and in [7] as a measure of goodness of dataset that are clustered together [10,12].…”

“…Therefore, there is need to select appropriate clustering algorithm and attributes that will help to discriminate failed attacks from realistic attacks whenever intrusive logs are investigated. Thereafter, it is necessary to evaluate the clustering algorithms that are used in this case so that the chances of correctly predicting suitable attributes of each group of the attacks (clustering criteria) given the probabilities of known attributes of the same attacks can be maximized [10]. The premise is that the results will also help to predict unknown attributes that can enhance countermeasures, or help to thwart successful attacks while in progress.…”

“…Category utility function has been defined in [5] and in [7] as a measure of goodness of dataset that are clustered together [10,12]. Category utility justifies probabilistic rules that can be used to correctly predict information an observer can gain on unclassified examples if the probability of each value of the clustering criteria is known.…”

“…Nevertheless, comparisons of clusters of failed attacks with clusters of successful attacks are not objectively evaluated over the years [8]. Instead, it is either they were clustered together or each group was erroneously analyzed differently [10].…”

A Framework for Evaluating Clustering Algorithm

“…Researches have shown that intrusion detectors can flag alerts on intrusive packets that expire before they reach destination machines [9,10,13]. One of the reasons behind this is that allowable events can be defined in many respects.…”

“…Therefore, this paper extends our previous findings on the application of category utility function to evaluate clustering algorithms that are designed to process intrusion logs [10]. Category utility function has been defined in [5] and in [7] as a measure of goodness of dataset that are clustered together [10,12].…”

“…Therefore, there is need to select appropriate clustering algorithm and attributes that will help to discriminate failed attacks from realistic attacks whenever intrusive logs are investigated. Thereafter, it is necessary to evaluate the clustering algorithms that are used in this case so that the chances of correctly predicting suitable attributes of each group of the attacks (clustering criteria) given the probabilities of known attributes of the same attacks can be maximized [10]. The premise is that the results will also help to predict unknown attributes that can enhance countermeasures, or help to thwart successful attacks while in progress.…”

“…Category utility function has been defined in [5] and in [7] as a measure of goodness of dataset that are clustered together [10,12]. Category utility justifies probabilistic rules that can be used to correctly predict information an observer can gain on unclassified examples if the probability of each value of the clustering criteria is known.…”

“…Nevertheless, comparisons of clusters of failed attacks with clusters of successful attacks are not objectively evaluated over the years [8]. Instead, it is either they were clustered together or each group was erroneously analyzed differently [10].…”

A Framework for Evaluating Clustering Algorithm

Regeneration of events using system snapshots for cloud forensic analysis

Regenerating Cloud Attack Scenarios using LVM2 based System Snapshots for Forensic Analysis