High Threat Alarms Mining for Effective Security Management: Modeling, Experiment and Application

2018 IEEE Symposium on Computers and Communications (ISCC) Pub Date : 2018-06-01 DOI:10.1109/ISCC.2018.8538535

Yongwei Meng, Tao Qin, Yukun Liu, Chao He

{"title":"High Threat Alarms Mining for Effective Security Management: Modeling, Experiment and Application","authors":"Yongwei Meng, Tao Qin, Yukun Liu, Chao He","doi":"10.1109/ISCC.2018.8538535","DOIUrl":null,"url":null,"abstract":"Intrusion Prevention System (IPS) is important for network security management as it can help the administrator by generating alarms corresponding to different attacks. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threat alarms from raw massive logs. We first divide the raw alarms into two parts based on their attributes, the first part mainly include alarms from several kinds of serious attacks while others constitute the second part. To mine high threat alarms from the first part, we proposed a similar alarm mining method based on Choquet Integral to cluster and rank the results of clustering. The potential threats are mixed with many false alarms in the second part, to reduce effect from false alarms, we employ the frequent pattern mining algorithm to mine correlation rules and employ them to filter the false alarms. Following we qualify the threat degree of those alarms based on the features extracted from characteristics of alarms themselves. Experimental results based on the data collected from the campus network of Xi’an Jiaotong University verify the efficiency and accuracy of the developed methods. Based on the mining and ranking results, administrators can deal with the high threats with their limited time and energy to keep the network under control.","PeriodicalId":233592,"journal":{"name":"2018 IEEE Symposium on Computers and Communications (ISCC)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE Symposium on Computers and Communications (ISCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCC.2018.8538535","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Intrusion Prevention System (IPS) is important for network security management as it can help the administrator by generating alarms corresponding to different attacks. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threat alarms from raw massive logs. We first divide the raw alarms into two parts based on their attributes, the first part mainly include alarms from several kinds of serious attacks while others constitute the second part. To mine high threat alarms from the first part, we proposed a similar alarm mining method based on Choquet Integral to cluster and rank the results of clustering. The potential threats are mixed with many false alarms in the second part, to reduce effect from false alarms, we employ the frequent pattern mining algorithm to mine correlation rules and employ them to filter the false alarms. Following we qualify the threat degree of those alarms based on the features extracted from characteristics of alarms themselves. Experimental results based on the data collected from the campus network of Xi’an Jiaotong University verify the efficiency and accuracy of the developed methods. Based on the mining and ranking results, administrators can deal with the high threats with their limited time and energy to keep the network under control.

查看原文本刊更多论文

面向有效安全管理的高威胁告警挖掘:建模、实验与应用

入侵防御系统(Intrusion Prevention System, IPS)是网络安全管理的重要组成部分，它可以帮助管理员对不同的攻击产生相应的告警。但由于其运行机制存在较多的虚警现象，大大降低了其可用性。在本文中，我们开发了一个从原始海量日志中挖掘高威胁告警的分层框架。我们首先根据原始告警的属性将其分为两部分，第一部分主要包括几种严重攻击的告警，其他部分构成第二部分。为了挖掘第一部分的高威胁告警，我们提出了一种类似的基于Choquet积分的告警挖掘方法，对聚类结果进行聚类和排序。第二部分将潜在威胁与许多虚警混合在一起，为了降低虚警的影响，我们采用频繁模式挖掘算法挖掘相关规则，并利用它们来过滤虚警。接下来，我们根据从告警本身特征中提取的特征来限定这些告警的威胁程度。基于西安交通大学校园网数据的实验结果验证了所提出方法的有效性和准确性。根据挖掘结果和排序结果，管理员可以在有限的时间和精力内处理高威胁，使网络处于可控状态。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE Symposium on Computers and Communications (ISCC)

自引率

0.00%

发文量