redAlert: Data-mining and visualisation for IP data analysis

Security of modem multi-service IP networks has become central to company profitability and success. In this context, automated intrusion detection remains crucially important for detecting malicious activity and potential attacks. This paper focuses on redAlert, a data-mining/statistical tool where the fundamental idea is to recognise intrusion attempts by observing changes in behaviour associated with particular IP addresses. The art of the technique is to adequately characterise behaviours and so sort each IP address into a cluster, then look for uncommon changes from one cluster to another, referred to as rare events. In performance evaluation, redAlert successfully identified IP addresses responsible for rare events, demonstrating that data-mining has good potential for IP intrusion detection.