Paper
18 April 2006 Distinguishing false from true alerts in Snort by data mining patterns of alerts
Jidong Long, Daniel Schwartz, Sara Stoecklin
Author Affiliations +
Abstract
The Snort network intrusion detection system is well known for triggering large numbers of false alerts. In addition, it usually only warns of a potential attack without stating what kind of attack it might be. This paper presents a clustering approach for handling Snort alerts more effectively. Central to this approach is the representation of alerts using the Intrusion Detection Message Exchange Format, which is written in XML. All the alerts for each network session are assembled into a single XML document, thereby representing a pattern of alerts. A novel XML distance measure is proposed to obtain the distance between two such XML documents. A classical clustering algorithm, implemented based on this distance measure, is then applied to group the alert patterns into clusters. Our experiment with the MIT 1998 DARPA data sets demonstrates that the clustering algorithm can distinguish between normal sessions that give rise to false alerts and those sessions that contain real attacks, and in about half of the latter cases can effectively identify the name of the attack.
© (2006) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Jidong Long, Daniel Schwartz, and Sara Stoecklin "Distinguishing false from true alerts in Snort by data mining patterns of alerts", Proc. SPIE 6241, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006, 62410B (18 April 2006); https://doi.org/10.1117/12.665211
Lens.org Logo
CITATIONS
Cited by 16 scholarly publications.
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Distance measurement

Computer intrusion detection

Data mining

Databases

Quality measurement

Analytical research

Associative arrays

Back to Top