Distinguishing false from true alerts in Snort by data mining patterns of alerts

被引:2
|
作者
Long, Jidong [1 ]
Schwartz, Daniel [1 ]
Stoecklin, Sara [1 ]
机构
[1] Florida State Univ, Dept Comp Sci, Tallahassee, FL 32306 USA
关键词
data-mining; distance measures; intrusion detection; Snort;
D O I
10.1117/12.665211
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
The Snort network intrusion detection system is well known for triggering large numbers of false alerts. In addition, it usually only warns of a potential attack without stating what kind of attack it might be. This paper presents a clustering approach for handling Snort alerts more effectively. Central to this approach is the representation of alerts using the Intrusion Detection Message Exchange Format, which is written in XML. All the alerts for each network session are assembled into a single XML document, thereby representing a pattern of alerts. A novel XML distance measure is proposed to obtain the distance between two such XML documents. A classical clustering algorithm, implemented based on this distance measure, is then applied to group the alert patterns into clusters. Our experiment with the MIT 1998 DARPA data sets demonstrates that the clustering algorithm can distinguish between normal sessions that give rise to false alerts and those sessions that contain real attacks, and in about half of the latter cases can effectively identify the name of the attack.
引用
收藏
页数:10
相关论文
共 50 条
  • [41] FakeNewsLab: Experimental Study on Biases and Pitfalls Preventing Us from Distinguishing True from False News
    Ruffo, Giancarlo
    Semeraro, Alfonso
    [J]. FUTURE INTERNET, 2022, 14 (10):
  • [42] Hepatotoxicities Induced by Neoadjuvant Chemotherapy in Colorectal Cancer Liver Metastases: Distinguishing the True From the False
    Desjardin, Marie
    Bonhomme, Benjamin
    Le Bail, Brigitte
    Evrard, Serge
    Brouste, Veronique
    Desolneux, Gregoire
    Fonck, Marianne
    Becouarn, Yves
    Bechade, Dominique
    [J]. CLINICAL MEDICINE INSIGHTS-ONCOLOGY, 2019, 13
  • [43] Patient Data from RT-CGM Suggests Use of Threshold Alerts Impacts Glycemic Control
    Nakamura, Katherine
    Walker, Tomas
    Balo, Andy
    [J]. DIABETES, 2016, 65 : A223 - A224
  • [44] Distinguishing between high-confidence true and false memories: evidence from eye movements
    Dang, Xixi
    Li, Longfeng
    Chen, Yinghe
    Yang, Xiujie
    [J]. AUSTRALIAN JOURNAL OF PSYCHOLOGY, 2021, 73 (02) : 243 - 253
  • [45] Deriving High Performance Alerts from Reduced Sensor Data for Timely Intervention in Acute Hypotensive Episodes
    Pathinarupothi, Rahul K.
    Rangan, Ekanath S.
    Durga, P.
    [J]. 2018 40TH ANNUAL INTERNATIONAL CONFERENCE OF THE IEEE ENGINEERING IN MEDICINE AND BIOLOGY SOCIETY (EMBC), 2018, : 3260 - 3263
  • [46] Efficient mining of minimal distinguishing subgraph patterns from graph databases
    Zeng, Zhiping
    Wang, Jianyong
    Zhou, Lizhu
    [J]. ADVANCES IN KNOWLEDGE DISCOVERY AND DATA MINING, PROCEEDINGS, 2008, 5012 : 1062 - 1068
  • [47] Relationship Between Structural Alerts in NSAIDs and Idiosyncratic Hepatotoxicity: An Analysis of Spontaneous Report Data from the WHO Database
    Naomi Jessurun
    Eugene van Puijenbroek
    [J]. Drug Safety, 2015, 38 : 511 - 515
  • [48] Structural alerts for predicting skin sensitization - In silico model derived from a data Set of 1982 organic compounds
    Schueuermann, G.
    Hillebrand, M.
    Kuehne, R.
    Ebert, R. U.
    [J]. NAUNYN-SCHMIEDEBERGS ARCHIVES OF PHARMACOLOGY, 2020, 393 (SUPPL 1) : 22 - 22
  • [49] Relationship Between Structural Alerts in NSAIDs and Idiosyncratic Hepatotoxicity: An Analysis of Spontaneous Report Data from the WHO Database
    Jessurun, Naomi
    van Puijenbroek, Eugene
    [J]. DRUG SAFETY, 2015, 38 (05) : 511 - 515
  • [50] Defining Quality-Measurable Medical Alerts From Incomplete Data Through Fuzzy Linguistic Variables and Modifiers
    de Arantes, Wilmondes Manzi, Jr.
    Verdier, Christine
    [J]. IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN BIOMEDICINE, 2010, 14 (04): : 916 - 922