CONFERENCE PROCEEDINGS
Advanced Search
Home > Proceedings > Volume 6570 > Article
Paper
9 April 2007 AutoCorrel II: a neural network event correlation approach
Maxwell G. Dondo, Peter Mason, Nathalie Japkowicz, Reuben Smith
Author Affiliations +
Proceedings Volume 6570, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2007; 65700H (2007) https://doi.org/10.1117/12.707922
Event: Defense and Security Symposium, 2007, Orlando, Florida, United States
Abstract
As a follow-up to our earlier model Autocorrel I, we have implemented a two-stage event correlation approach with improved performance. Like Autocorrel I, the new model correlates intrusion detection system (IDS) alerts to automate alert and incidents management, and reduce the workload on an IDS analyst. We achieve this correlation by clustering similar alerts, thus allowing the analyst to only consider a few clusters rather than hundreds or thousands of alerts. The first stage uses an artificial neural network (ANN)-based autoassociator (AA). The AA's objective is to attempt to reproduce each alert at its output. In the process, it uses an error metric, the reconstruction error (RE), between its input and output to cluster similar alerts. In order to improve the accuracy of the system we add another machine-learning stage which takes into account the RE as well as raw attribute information from the input alerts. This stage uses the Expectation-Maximisation (EM) clustering algorithm. The performance of this approach is tested with intrusion alerts generated by a Snort IDS on DARPA's 1999 IDS evaluation data as well as incidents.org alerts.
© (2007) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Citation Download Citation
Maxwell G. Dondo, Peter Mason, Nathalie Japkowicz, and Reuben Smith "AutoCorrel II: a neural network event correlation approach", Proc. SPIE 6570, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2007, 65700H (9 April 2007); https://doi.org/10.1117/12.707922
ACCESS THE FULL ARTICLE
ORGANIZATIONAL
Sign in with credentials provided by your organization.
INSTITUTIONAL
Select your institution to access the SPIE Digital Library.
SELECT YOUR INSTITUTION
PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.
PERSONAL SIGN IN
No SPIE Account? Create one
PURCHASE THIS CONTENT
SUBSCRIBE TO DIGITAL LIBRARY
50 downloads per 1-year subscription
Members: $195
Non-members: $335 ADD TO CART
25 downloads per 1 - year subscription
Members: $145
Non-members: $250 ADD TO CART
PURCHASE SINGLE ARTICLE
Includes PDF, HTML & Video, when available
Members: $17.00
Non-members: $21.00 ADD TO CART
PROCEEDINGS
 12 PAGES
DOWNLOAD PAPER SAVE TO MY LIBRARY
GET CITATION
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Expectation maximization algorithms
Computer intrusion detection
Neural networks
Detection and tracking algorithms
Error analysis
Sensors
Selenium
RELATED CONTENT
Subscribe to Digital Library
Receive Erratum Email Alert
Back to Top