The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
Network protocol classification plays an important role in modern network security and fine-grained management architectures. The state-of-the-art network protocol classification methods aim to take the advantages of flow statistical features and machine learning techniques. However the classification performance is severely affected by limited supervised information and unknown network protocols...
Scanning acquires status information regarding target hosts. In networks, attackers often conduct coordinated scans of the target host or network segment because such scans are efficient and stealthy. However, an algorithm that effectively detects coordinated scans has not yet been developed. In this study, we identify a coordinated scan under a single controller during a clustering analysis of the...
Intrusion detection Systems(IDS) can produce large amount of alert data which usually possesses the characteristics of high redundancy and high repetition. Such kind of data makes the event processing for network security significantly difficult. Current cluster algorithms use cluster center to calculate the distance which leads to fairly big calculation errors. In order to aggregate the massive alert...
There is a big difference between the IDS alerts from the network backbone and those from the lab. But there is little work has been done to mine attack models in IDS alerts from the network backbone. The contributions of this paper are three-fold. First, we propose an alert reduction method based on statistical redundancy (RMSR) to reduce the alert redundancy. Second, we propose a two-stage clustering...
The alarm correlation is an essential function of network management systems to provide detection, isolation and correlation of unusual operational behaviour of telecommunication network. However, existing alarm correlation approaches still rely on the manual processing, and depend on the knowledge of the network operators. Since, the telecommunication network produces a number of alarms which are...
Network anomaly detection is a critical aspect of network management for instance for QoS, security, etc. The continuous arising of new anomalies and attacks create a continuous challenge to cope with events that put the network integrity at risk. Most network anomaly detection systems proposed so far employ a supervised strategy to accomplish the task, using either signature-based detection methods...
Distributed Denial of Service (DDoS) attacks pose an increasing threat to the current internet. The detection of such attacks plays an important role in maintaining the security of networks. In this paper, we propose a novel adaptive clustering method combined with feature ranking for DDoS attacks detection. First, based on the analysis of network traffic, preliminary variables are selected. Second,...
Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. The problem of false-positive alerts is a popular existing problem for most of IDS approaches. The solution to address this problem is correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished as soon as possible,...
For the alarm flooding problem, a hierarchical alarm processing model is studied to filter, reduce and correlate alarms. In filtering, false alarms are eliminated with repository. In reduction, a reduction algorithm is designed to remove the duplicate alarms in real time. In correlation, a frequent episodes algorithm is implemented on training data to help clustering-based correlation algorithm find...
As the rapid increase of network security events, network security monitoring and management on network behavior become more and more focused in the fields of computer science. This paper develops a kind of fuzzy constraint correlation algorithm based on prerequisites and consequences of security event. The introduction of fuzzy constraint correlation can resolve the issues of false negatives and...
Most researchers do not distinguish stepping-stone detection and stepping-stone intrusion detection, thus introduce more false positive errors in detecting stepping-stone intrusion. Those approaches proposed to detect stepping-stone intrusion are vulnerable to intruders' evasion. In this paper we analyze the problems of the current model used to detect stepping-stone, and propose a new model based...
As security threats advance in a drastic way, most of the organizations implement multiple network intrusion detection systems (NIDSs) to optimize detection and to provide comprehensive view of intrusion activities. But NIDSs trigger a massive amount of alerts even for a day and overwhelmed security experts. Thus, automated and intelligent clustering is important to reveal their structural correlation...
In the past several years, the alert correlation methods have been advocated to discover high-level attack scenarios by correlating the low-level alerts. The causal correlation method based on prerequisites and consequences has great advantages in the process of correlating alerts. But it must depend on complicated background knowledge base and has some limits in discovering new attacks. The cluster...
Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful...
Intrusion detection can be defined as the process of identifying malicious behavior that targets a network and its resources. An important problem in the field of intrusion detection is the management of alerts. This paper describes a realtime aggregation and correlation system named Alertclu. With the aid of similarity-based alert clustering analysing technology, Alertclu can improve the aggregation...
Nowadays, it becomes more and more important to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion detection systems (IDSs). Some methods have been presented to resolve this problem. These methods have different strengths. However, they also have different limitations. In order to build complicated attack processes accurately, this paper uses cluster and correlation...
For the purpose of reducing redundant alerts and false alerts as well as recognizing complicated attack scenarios, a multilevel model of alert fusion is presented. This model fuses alerts layer upon layer through primary alert reduction, alert verification, alert clustering and alert correlation. In order to construct accurate and complete attack sensors, in the phase of alert clustering, this paper...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.