Mining intrusion detection alarms for actionable knowledge

Klaus Julisch, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

183 Citations (Scopus)

Abstract

In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.

Original languageEnglish
Title of host publicationProceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining
EditorsD. Hand, D. Keim, R. Ng
Pages366-375
Number of pages10
Publication statusPublished - 2002
Externally publishedYes
EventKDD - 2002 Proceedings of the Eight ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - Edmonton, Alta
Duration: 23 Jul 200226 Jul 2002

Other

OtherKDD - 2002 Proceedings of the Eight ACM SIGKDD International Conference on Knowledge Discovery and Data Mining
CityEdmonton, Alta
Period23/7/0226/7/02

Fingerprint

Intrusion detection
Industry
Experiments

Keywords

  • Alarm investigation
  • Conceptual clustering
  • Data mining
  • Episode rules
  • Intrusion detection

ASJC Scopus subject areas

  • Information Systems

Cite this

Julisch, K., & Dacier, M. (2002). Mining intrusion detection alarms for actionable knowledge. In D. Hand, D. Keim, & R. Ng (Eds.), Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 366-375)

Mining intrusion detection alarms for actionable knowledge. / Julisch, Klaus; Dacier, Marc.

Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ed. / D. Hand; D. Keim; R. Ng. 2002. p. 366-375.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Julisch, K & Dacier, M 2002, Mining intrusion detection alarms for actionable knowledge. in D Hand, D Keim & R Ng (eds), Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. pp. 366-375, KDD - 2002 Proceedings of the Eight ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, Alta, 23/7/02.
Julisch K, Dacier M. Mining intrusion detection alarms for actionable knowledge. In Hand D, Keim D, Ng R, editors, Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2002. p. 366-375
Julisch, Klaus ; Dacier, Marc. / Mining intrusion detection alarms for actionable knowledge. Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. editor / D. Hand ; D. Keim ; R. Ng. 2002. pp. 366-375
@inproceedings{95ed5b2df39d4b9787ece87bc23dd9bc,
title = "Mining intrusion detection alarms for actionable knowledge",
abstract = "In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.",
keywords = "Alarm investigation, Conceptual clustering, Data mining, Episode rules, Intrusion detection",
author = "Klaus Julisch and Marc Dacier",
year = "2002",
language = "English",
pages = "366--375",
editor = "D. Hand and D. Keim and R. Ng",
booktitle = "Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining",

}

TY - GEN

T1 - Mining intrusion detection alarms for actionable knowledge

AU - Julisch, Klaus

AU - Dacier, Marc

PY - 2002

Y1 - 2002

N2 - In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.

AB - In response to attacks against enterprise networks, administrators increasingly deploy intrusion detection systems. These systems monitor hosts, networks, and other resources for signs of security violations. The use of intrusion detection has given rise to another difficult problem, namely the handling of a generally large number of alarms. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, we investigate episode rules with respect to their suitability in this approach. We report the difficulties encountered and the unexpected insights gained. In addition, we introduce a new conceptual clustering technique, and use it in extensive experiments with real-world data to show that intrusion detection alarms can be handled efficiently by using previously mined knowledge.

KW - Alarm investigation

KW - Conceptual clustering

KW - Data mining

KW - Episode rules

KW - Intrusion detection

UR - http://www.scopus.com/inward/record.url?scp=0242540448&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0242540448&partnerID=8YFLogxK

M3 - Conference contribution

SP - 366

EP - 375

BT - Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

A2 - Hand, D.

A2 - Keim, D.

A2 - Ng, R.

ER -