完整後設資料紀錄
DC 欄位語言
dc.contributor.authorJan, Nien-Yien_US
dc.contributor.authorLin, Shun-Chiehen_US
dc.contributor.authorTseng, Shian-Shyongen_US
dc.contributor.authorLin, Nancy P.en_US
dc.date.accessioned2014-12-08T15:08:36Z-
dc.date.available2014-12-08T15:08:36Z-
dc.date.issued2009-10-01en_US
dc.identifier.issn0957-4174en_US
dc.identifier.urihttp://dx.doi.org/10.1016/j.eswa.2009.02.097en_US
dc.identifier.urihttp://hdl.handle.net/11536/6606-
dc.description.abstractAs the rapid growth of network attacking tools, patterns of network intrusion events change gradually. Although many researches had been proposed to analyze network intrusion behaviors in accordance with low-level network data, they still suffer a large mount of false alerts and result in difficulties for network administrators to discover useful information from these alerts. To reduce the load of administrators, by collecting and analyzing unknown attack sequences systematically, administrators can do the duty of fixing the root causes. Due to the different characteristics of each intrusion, none of analysis methods can correlate IDS alerts precisely and discover all kinds of real intrusion patterns. Therefore, an alert-based decision support system is proposed in this paper to construct an alert classification model for on-line network behavior monitoring. The architecture of decision support system consists of three phases: Alert Preprocessing Phase, Model Constructing Phase and Rule Refining Phase. The Alert Processing Phase is used to transform IDS alerts into alert transactions with specific data format as alert subsequences, where an alert sequence is a kind of well-aggregated alert transaction format to discover intrusion behaviors. Besides, the Model Constructing Phase is used to construct three kinds of rule classes: normal rule classes, intrusion rule classes and suspicious rule classes, to filter false alert patterns and analyze each existing or unknown alert patterns; each rule class represents a set of classification rules. Normal rule class, a set of false alert classification rules, can be trained by using sequential pattern mining approach in an attack-free environment. Intrusion rule classes, a set of known intrusion classification rules, and suspicious rule classes, a set of novel intrusion classification rules, can be trained in a simulated attacking environment using several well-known rootkits and labeling by experts. Finally, the Rule Refining Phase is used to change the classification flags of alert sequence across different time intervals. According to the urgent situations of different levels, Network administrators can do event protecting or vulnerability repairing, even or cause tracing of attacks. Therefore, the decision support system can prevent attacks effectively, find novel attack patterns exactly and reduce the load of administrators efficiently. Crown Copyright (C) 2009 Published by Elsevier Ltd. All rights reserved.en_US
dc.language.isoen_USen_US
dc.subjectDecision support systemen_US
dc.subjectAlert classificationen_US
dc.subjectSequential pattern miningen_US
dc.subjectIntrusion detectionen_US
dc.subjectModel constructionen_US
dc.titleA decision support system for constructing an alert classification modelen_US
dc.typeArticleen_US
dc.identifier.doi10.1016/j.eswa.2009.02.097en_US
dc.identifier.journalEXPERT SYSTEMS WITH APPLICATIONSen_US
dc.citation.volume36en_US
dc.citation.issue8en_US
dc.citation.spage11145en_US
dc.citation.epage11155en_US
dc.contributor.department資訊工程學系zh_TW
dc.contributor.departmentDepartment of Computer Scienceen_US
dc.identifier.wosnumberWOS:000267179500039-
dc.citation.woscount7-
顯示於類別:期刊論文


文件中的檔案:

  1. 000267179500039.pdf

若為 zip 檔案,請下載檔案解壓縮後,用瀏覽器開啟資料夾中的 index.html 瀏覽全文。