Alert Correlation Using a Novel Clustering Approach

Ashara Banu  Mohamed; Norbik Bashah  Idris; Bharanidharan Shanmugam

doi:10.1109/CSNT.2012.212

Alert Correlation Using a Novel Clustering Approach

Ashara Banu Mohamed, Norbik Bashah Idris, Bharanidharan Shanmugam

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper published in Proceedings › Research › peer-review

Abstract

Since the birth of Intrusion Detection System (IDS)technology, the most significant implementation problem is theenormous number of alerts generated by the IDS sensors. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful tothe administrators in a timely manner. However for the purpose of this paper we will present our proposed clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against a live data from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising; the clustering algorithm was able to reduce about 86.9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.

Original language	English
Title of host publication	2012 International Conference on Communication Systems and Network Technologies
Editors	Geetam Tomar, Gauri S. Mittal, Frank Z. Wang
Place of Publication	Rajkot, India
Publisher	IEEE Computer Society
Pages	720-725
Number of pages	6
ISBN (Print)	9781467315388
DOIs	https://doi.org/10.1109/CSNT.2012.212
Publication status	Published - 2012
Externally published	Yes
Event	Communication Systems and Network Technologies (CSNT) - Rajkot, India , India Duration: 11 May 2012 → 13 May 2012

Conference

Conference	Communication Systems and Network Technologies (CSNT)
Country	India
Period	11/05/12 → 13/05/12

Fingerprint

Intrusion detection

Processing

Clustering algorithms

Experiments

Engines

Data storage equipment

Monitoring

Sensors

Cite this

Mohamed, A. B., Idris, N. B., & Shanmugam, B. (2012). Alert Correlation Using a Novel Clustering Approach. In G. Tomar, G. S. Mittal, & F. Z. Wang (Eds.), 2012 International Conference on Communication Systems and Network Technologies (pp. 720-725). Rajkot, India: IEEE Computer Society. https://doi.org/10.1109/CSNT.2012.212

Mohamed, Ashara Banu ; Idris, Norbik Bashah ; Shanmugam, Bharanidharan. / Alert Correlation Using a Novel Clustering Approach. 2012 International Conference on Communication Systems and Network Technologies . editor / Geetam Tomar ; Gauri S. Mittal ; Frank Z. Wang. Rajkot, India : IEEE Computer Society, 2012. pp. 720-725

@inproceedings{b9ce15880e7b416e90b7dddb8453ee1f,

title = "Alert Correlation Using a Novel Clustering Approach",

abstract = "Since the birth of Intrusion Detection System (IDS)technology, the most significant implementation problem is theenormous number of alerts generated by the IDS sensors. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful tothe administrators in a timely manner. However for the purpose of this paper we will present our proposed clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against a live data from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising; the clustering algorithm was able to reduce about 86.9{\%} of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.",

author = "Mohamed, {Ashara Banu} and Idris, {Norbik Bashah} and Bharanidharan Shanmugam",

year = "2012",

doi = "10.1109/CSNT.2012.212",

language = "English",

isbn = "9781467315388",

pages = "720--725",

editor = "Geetam Tomar and Mittal, {Gauri S.} and Wang, {Frank Z.}",

booktitle = "2012 International Conference on Communication Systems and Network Technologies",

publisher = "IEEE Computer Society",

address = "United States",

}

Mohamed, AB, Idris, NB & Shanmugam, B 2012, Alert Correlation Using a Novel Clustering Approach. in G Tomar, GS Mittal & FZ Wang (eds), 2012 International Conference on Communication Systems and Network Technologies . IEEE Computer Society, Rajkot, India, pp. 720-725, Communication Systems and Network Technologies (CSNT), India, 11/05/12. https://doi.org/10.1109/CSNT.2012.212

Alert Correlation Using a Novel Clustering Approach. / Mohamed, Ashara Banu ; Idris, Norbik Bashah ; Shanmugam, Bharanidharan.

2012 International Conference on Communication Systems and Network Technologies . ed. / Geetam Tomar; Gauri S. Mittal; Frank Z. Wang. Rajkot, India : IEEE Computer Society, 2012. p. 720-725.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper published in Proceedings › Research › peer-review

TY - GEN

T1 - Alert Correlation Using a Novel Clustering Approach

AU - Mohamed, Ashara Banu

AU - Idris, Norbik Bashah

AU - Shanmugam, Bharanidharan

PY - 2012

Y1 - 2012

N2 - Since the birth of Intrusion Detection System (IDS)technology, the most significant implementation problem is theenormous number of alerts generated by the IDS sensors. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful tothe administrators in a timely manner. However for the purpose of this paper we will present our proposed clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against a live data from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising; the clustering algorithm was able to reduce about 86.9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.

AB - Since the birth of Intrusion Detection System (IDS)technology, the most significant implementation problem is theenormous number of alerts generated by the IDS sensors. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful tothe administrators in a timely manner. However for the purpose of this paper we will present our proposed clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against a live data from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising; the clustering algorithm was able to reduce about 86.9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.

U2 - 10.1109/CSNT.2012.212

DO - 10.1109/CSNT.2012.212

M3 - Conference Paper published in Proceedings

SN - 9781467315388

SP - 720

EP - 725

BT - 2012 International Conference on Communication Systems and Network Technologies

A2 - Tomar, Geetam

A2 - Mittal, Gauri S.

A2 - Wang, Frank Z.

PB - IEEE Computer Society

CY - Rajkot, India

ER -

Mohamed AB, Idris NB, Shanmugam B. Alert Correlation Using a Novel Clustering Approach. In Tomar G, Mittal GS, Wang FZ, editors, 2012 International Conference on Communication Systems and Network Technologies . Rajkot, India: IEEE Computer Society. 2012. p. 720-725 https://doi.org/10.1109/CSNT.2012.212

Access to Document

10.1109/CSNT.2012.212