Share Email Print
cover

Proceedings Paper

AutoCorrel II: a neural network event correlation approach
Author(s): Maxwell G. Dondo; Peter Mason; Nathalie Japkowicz; Reuben Smith
Format Member Price Non-Member Price
PDF $14.40 $18.00

Paper Abstract

As a follow-up to our earlier model Autocorrel I, we have implemented a two-stage event correlation approach with improved performance. Like Autocorrel I, the new model correlates intrusion detection system (IDS) alerts to automate alert and incidents management, and reduce the workload on an IDS analyst. We achieve this correlation by clustering similar alerts, thus allowing the analyst to only consider a few clusters rather than hundreds or thousands of alerts. The first stage uses an artificial neural network (ANN)-based autoassociator (AA). The AA's objective is to attempt to reproduce each alert at its output. In the process, it uses an error metric, the reconstruction error (RE), between its input and output to cluster similar alerts. In order to improve the accuracy of the system we add another machine-learning stage which takes into account the RE as well as raw attribute information from the input alerts. This stage uses the Expectation-Maximisation (EM) clustering algorithm. The performance of this approach is tested with intrusion alerts generated by a Snort IDS on DARPA's 1999 IDS evaluation data as well as incidents.org alerts.

Paper Details

Date Published: 9 April 2007
PDF: 12 pages
Proc. SPIE 6570, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2007, 65700H (9 April 2007); doi: 10.1117/12.707922
Show Author Affiliations
Maxwell G. Dondo, DRDC-Ottawa (Canada)
Peter Mason, DRDC-Ottawa (Canada)
Nathalie Japkowicz, Univ. of Ottawa (Canada)
Reuben Smith, Univ. of Ottawa (Canada)


Published in SPIE Proceedings Vol. 6570:
Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2007
Belur V. Dasarathy, Editor(s)

© SPIE. Terms of Use
Back to Top