CONFERENCE PROCEEDINGS
Advanced Search
Home > Proceedings > Volume 9121 > Article
Paper
22 May 2014 Characterization of computer network events through simultaneous feature selection and clustering of intrusion alerts
Siyue Chen, Henry Leung, Maxwell Dondo
Author Affiliations +
Proceedings Volume 9121, Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2014; 912107 (2014) https://doi.org/10.1117/12.2052852
Event: SPIE Sensing Technology + Applications, 2014, Baltimore, MD, United States
Abstract
As computer network security threats increase, many organizations implement multiple Network Intrusion Detection Systems (NIDS) to maximize the likelihood of intrusion detection and provide a comprehensive understanding of intrusion activities. However, NIDS trigger a massive number of alerts on a daily basis. This can be overwhelming for computer network security analysts since it is a slow and tedious process to manually analyse each alert produced. Thus, automated and intelligent clustering of alerts is important to reveal the structural correlation of events by grouping alerts with common features. As the nature of computer network attacks, and therefore alerts, is not known in advance, unsupervised alert clustering is a promising approach to achieve this goal. We propose a joint optimization technique for feature selection and clustering to aggregate similar alerts and to reduce the number of alerts that analysts have to handle individually. More precisely, each identified feature is assigned a binary value, which reflects the feature's saliency. This value is treated as a hidden variable and incorporated into a likelihood function for clustering. Since computing the optimal solution of the likelihood function directly is analytically intractable, we use the Expectation-Maximisation (EM) algorithm to iteratively update the hidden variable and use it to maximize the expected likelihood. Our empirical results, using a labelled Defense Advanced Research Projects Agency (DARPA) 2000 reference dataset, show that the proposed method gives better results than the EM clustering without feature selection in terms of the clustering accuracy.
© (2014) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Citation Download Citation
Siyue Chen, Henry Leung, and Maxwell Dondo "Characterization of computer network events through simultaneous feature selection and clustering of intrusion alerts", Proc. SPIE 9121, Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2014, 912107 (22 May 2014); https://doi.org/10.1117/12.2052852
ACCESS THE FULL ARTICLE
ORGANIZATIONAL
Sign in with credentials provided by your organization.
INSTITUTIONAL
Select your institution to access the SPIE Digital Library.
SELECT YOUR INSTITUTION
PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.
PERSONAL SIGN IN
No SPIE Account? Create one
PURCHASE THIS CONTENT
SUBSCRIBE TO DIGITAL LIBRARY
50 downloads per 1-year subscription
Members: $195
Non-members: $335 ADD TO CART
25 downloads per 1 - year subscription
Members: $145
Non-members: $250 ADD TO CART
PURCHASE SINGLE ARTICLE
Includes PDF, HTML & Video, when available
Members: $17.00
Non-members: $21.00 ADD TO CART
PROCEEDINGS
 9 PAGES
DOWNLOAD PAPER SAVE TO MY LIBRARY
GET CITATION
Lens.org Logo
CITATIONS
Cited by 1 scholarly publication.
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Expectation maximization algorithms
Feature selection
Computer networks
Data modeling
Sensors
Autoregressive models
Data transmission
RELATED CONTENT
Subscribe to Digital Library
Receive Erratum Email Alert
Back to Top