Network attack scenarios extraction and categorization by mining IDS alert streams

Document Type

Article

Publication Date

10-6-2005

Abstract

The past few years have witnessed significant increase in DDoS attacks on Internet, prompting network security as a great concern. With the attacks getting more sophisticated, automatically reasoning the attack scenarios in real time and categorizing those scenarios become a critical challenge. However, the overwhelming flow of events generated by Intrusion Detection System (IDS) sensors make it hard for security administrators to uncover hidden attack plans. This paper presents a semantic vector space model to extract and categorize attack scenarios based on First-order Logics (FOL) and linguistics. The modified Case Grammar is introduced to formalize the heterogeneous IDS alerts into uniform structured alert streams. The attack resolution is then used to generate attack semantic network. Afterwards, mutual information is used to determine the alert semantic context range. Based on the attack ontology and alert contexts, attack scenarios are extracted and the alerts are represented as attack semantic space vectors. Finally text categorization technique are used to categorize the intrusion stages. The preliminary results show our model has better performance than the traditional alert correlations. © J.UCS.

Identifier

25444461348 (Scopus)

Publication Title

Journal of Universal Computer Science

e-ISSN

09486968

ISSN

0958695X

First Page

1367

Last Page

1382

Issue

8

Volume

11

This document is currently not available here.

Share

COinS