Sciweavers

AI
2008
Springer

Using Unsupervised Learning for Network Alert Correlation

14 years 7 months ago
Using Unsupervised Learning for Network Alert Correlation
Alert correlation systems are post-processing modules that enable intrusion analysts to find important alerts and filter false positives efficiently from the output of Intrusion Detection Systems. Typically, however, these modules require high levels of human involvement in creating the system and/or maintaining it, as patterns of attacks change as often as from month to month. We present an alert correlation system based on unsupervised machine learning algorithms that is accurate and low maintenance. The system is implemented in two stages of correlation. At the first stage, alerts are grouped together such that each group forms one step of an attack. At the second stage, the groups created at the first stage are combined such that each combination of groups contains the alerts of precisely one full attack. We tested various implementations of the system. The most successful one relies in the first stage on a new unsupervised algorithm inspired by an existing novelty detection ...
Reuben Smith, Nathalie Japkowicz, Maxwell Dondo, P
Added 01 Jun 2010
Updated 01 Jun 2010
Type Conference
Year 2008
Where AI
Authors Reuben Smith, Nathalie Japkowicz, Maxwell Dondo, Peter Mason
Comments (0)