Método Heurístico para Rotular Grupos em Sistema de Detecção de Intrusão baseado em Anomalia
Abstract
The intrusion detection systems are part of security suite necessary for environment protection that contains information available on the Internet. Among these systems it is highlighted the unsupervised learning, as they are able to extract environment models without prior knowledge concerning the occurrence of attacks among the collected information. A technique used to create these models is the data clustering, where the resulting clusters are labeled either as normal or as attack (in anomalous case). This paper proposes a heuristic method for labeling clusters, where the false positive rates achieved during experiments were significantly lower compared to the methods described in related work.
References
Acunetix (2011). Acunetix Web Security Scanner (http://www.acunetix.com/ - acesso em 10/07/2011).
Celepar-Dataset (2011). Celepar - Dataset with web attacks for intrusion detection research (http://ids.celepar.pr.gov.br/dataset)).
Corona, I. and Giacinto, G. (2010). Detection of Server-side Web Attacks. Journal of Machine Learning Research - Proceedings Track, 11:160–166.
Criscione, C., Salvaneschi, G., Maggi, F., and Zanero, S. (2009). Integrated Detection of Attacks Against Browsers, Web Applications and Databases. In Proceedings of the 2009 European Conference on Computer Network Defense, EC2ND ’09, pages 37–45, Washington, DC, USA. IEEE Computer Society.
DARPA (1998). 1998 DARPA Intrusion Detection Evaluation Data Set ([link] - acesso em 10/07/2011).
DirBuster (2011). OWASP DirBuster Project ([link] - acesso em 10/07/2011).
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In Applications of Data Mining in Computer Security.
Fawcett, T. (2003). ROC Graphs: Notes and Practical Considerations for Researchers. Tech Report HPL-2003-4, HP Laboratories. Available: http://www.purl.org/NET/tfawcett/papers/ROC101.pdf.
Guan, Y., Ghorbani, A. A., and Belacel, N. (2003). Y-means: A Clustering Method for Intrusion Detection. In Proceedings of Canadian Conference on Electrical and Computer Engineering, pages 1083–1086.
iCTF (2008). The 2008 iCTF Data (http://ictf.cs.ucsb.edu/data/ictf2008/ - acesso em 10/07/2011).
KDD (1999). KDD Cup 1999 databases ([link] - acesso em 10/07/2011).
Leung, K. and Leckie, C. (2005). Unsupervised Anomaly Detection in Network Intrusion Detection using Clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science - Volume 38, ACSC ’05, pages 333–342, Darlinghurst, Australia, Australia. Australian Computer Society, Inc.
Mahoney, M. V., Chan, P. K., and Arshad, M. H. (2003). A Machine Learning Approach to Anomaly Detection. Technical Report CS-2003-06, Department of Computer Science, Florida Institute of Technology, Melbourne, FL. Nessus (2011). Nessus Vulnerability Scanner (http://www.nessus.org/ - acesso em 10/07/2011).
Nikto (2011). Nikto Open Source web server scanner (http://www.cirt.net/nikto2 - acesso em 10/07/2011).
Pereira, H. (2011). Sistema de Detecção de Intrusão para Serviços Web baseado em Anomalias. Master’s thesis, PUCPR, Curitiba - PR.
Petrovic, S. (2006). A Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters. Proceedings of the 11th Nordic Workshop of Secure IT, pages 53–64.
Portnoy, L., Eskin, E., and Stolfo, S. (2001). Intrusion Detection with Unlabeled Data Using clustering. In Proceedings of ACM Workshop on Data Mining Applied to Security.
Robertson, W., Maggi, F., Kruegel, C., and Vigna, G. (2010). Effective Anomaly Detection with Scarce Training Data. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA.
Singh, G., Masseglia, F., Fiot, C., Marascu, A., and Poncelet, P. (2009). Mining Common Outliers for Intrusion Detection. In EGC (best of volume), pages 217–234.
Zhang, Y.-F., Xiong, Z.-Y., and Wang, X.-Q. (2005). Distributed Intrusion Detection based on Clustering. Machine Learning and Cybernetics, 2005. Proceedings of 2005 International Conference on, 4:2379–2383 Vol. 4.
Zhong, S., Khoshgoftaar, T., and Seliya, N. (2007). Clustering-based Network Intrusion Detection. International Journal of Reliability, Quality and Safety Engineering, 14(2):169–187.
Celepar-Dataset (2011). Celepar - Dataset with web attacks for intrusion detection research (http://ids.celepar.pr.gov.br/dataset)).
Corona, I. and Giacinto, G. (2010). Detection of Server-side Web Attacks. Journal of Machine Learning Research - Proceedings Track, 11:160–166.
Criscione, C., Salvaneschi, G., Maggi, F., and Zanero, S. (2009). Integrated Detection of Attacks Against Browsers, Web Applications and Databases. In Proceedings of the 2009 European Conference on Computer Network Defense, EC2ND ’09, pages 37–45, Washington, DC, USA. IEEE Computer Society.
DARPA (1998). 1998 DARPA Intrusion Detection Evaluation Data Set ([link] - acesso em 10/07/2011).
DirBuster (2011). OWASP DirBuster Project ([link] - acesso em 10/07/2011).
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In Applications of Data Mining in Computer Security.
Fawcett, T. (2003). ROC Graphs: Notes and Practical Considerations for Researchers. Tech Report HPL-2003-4, HP Laboratories. Available: http://www.purl.org/NET/tfawcett/papers/ROC101.pdf.
Guan, Y., Ghorbani, A. A., and Belacel, N. (2003). Y-means: A Clustering Method for Intrusion Detection. In Proceedings of Canadian Conference on Electrical and Computer Engineering, pages 1083–1086.
iCTF (2008). The 2008 iCTF Data (http://ictf.cs.ucsb.edu/data/ictf2008/ - acesso em 10/07/2011).
KDD (1999). KDD Cup 1999 databases ([link] - acesso em 10/07/2011).
Leung, K. and Leckie, C. (2005). Unsupervised Anomaly Detection in Network Intrusion Detection using Clusters. In Proceedings of the Twenty-eighth Australasian conference on Computer Science - Volume 38, ACSC ’05, pages 333–342, Darlinghurst, Australia, Australia. Australian Computer Society, Inc.
Mahoney, M. V., Chan, P. K., and Arshad, M. H. (2003). A Machine Learning Approach to Anomaly Detection. Technical Report CS-2003-06, Department of Computer Science, Florida Institute of Technology, Melbourne, FL. Nessus (2011). Nessus Vulnerability Scanner (http://www.nessus.org/ - acesso em 10/07/2011).
Nikto (2011). Nikto Open Source web server scanner (http://www.cirt.net/nikto2 - acesso em 10/07/2011).
Pereira, H. (2011). Sistema de Detecção de Intrusão para Serviços Web baseado em Anomalias. Master’s thesis, PUCPR, Curitiba - PR.
Petrovic, S. (2006). A Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters. Proceedings of the 11th Nordic Workshop of Secure IT, pages 53–64.
Portnoy, L., Eskin, E., and Stolfo, S. (2001). Intrusion Detection with Unlabeled Data Using clustering. In Proceedings of ACM Workshop on Data Mining Applied to Security.
Robertson, W., Maggi, F., Kruegel, C., and Vigna, G. (2010). Effective Anomaly Detection with Scarce Training Data. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA.
Singh, G., Masseglia, F., Fiot, C., Marascu, A., and Poncelet, P. (2009). Mining Common Outliers for Intrusion Detection. In EGC (best of volume), pages 217–234.
Zhang, Y.-F., Xiong, Z.-Y., and Wang, X.-Q. (2005). Distributed Intrusion Detection based on Clustering. Machine Learning and Cybernetics, 2005. Proceedings of 2005 International Conference on, 4:2379–2383 Vol. 4.
Zhong, S., Khoshgoftaar, T., and Seliya, N. (2007). Clustering-based Network Intrusion Detection. International Journal of Reliability, Quality and Safety Engineering, 14(2):169–187.
Published
2011-11-06
How to Cite
PEREIRA, Hermano; JAMHOUR, Edgard.
Método Heurístico para Rotular Grupos em Sistema de Detecção de Intrusão baseado em Anomalia. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 11. , 2011, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2011
.
p. 183-196.
DOI: https://doi.org/10.5753/sbseg.2011.20572.
