Authors:
Nelson Uto
1
;
Helen Teixeira
1
;
Andre Blazko
1
;
Marcos Ferreira de Paula
1
;
Renata Cicilini Teixeira
1
and
Mamede Lima Marques
2
Affiliations:
1
CPqD Telecom & IT Solutions, Brazil
;
2
Universidade de Brasilia, Brazil
Keyword(s):
Network security, security event correlation, semi-automatic rule generation, data mining.
Related
Ontology
Subjects/Areas/Topics:
Information and Systems Security
;
Intrusion Detection & Prevention
Abstract:
Current implementations of intrusion detection systems (IDSs) have two drawbacks: 1) they normally generate far too many false positives, overloading human operators to such an extent that they can not respond effectively to the real alerts; 2) depending on the proportion of genuine attacks within the total network traffic, an IDS may never be effective. One approach to overcoming these obstacles is to correlate information from a wide variety of networks sensors, not just IDSs, in order to obtain a more complete picture on which to base decisions as to whether alerted events represent malicious activity or not. The challenge in such an analysis is the generation of the correlation rules that are to be used. At present, creating these rules is a time consuming manual task that requires expert knowledge. This work describes how data mining, specifically the k-means clustering technique, can be employed to assist in the semi-automatic generation of such correlation rules.