Zan Xin, Han Chongzhao, Yao Tingting, Han Jiuqiang
(School of Electronics and Information Engineering, Xi'an Jiaotong University, Xi'an 710049, China)
Abstract: A sequence mining method to obtain the frequent intrusion
command sequences executed by the intruders was presented. The frequent intrusion commands
were transformed into the detection rules of the low-level intrusion detection sensor in
order to detect the suspicious behaviors. To eliminate the false alarms, an efficient
intrusion correlation engine based on intrusion incident context was designed and the
frequent intrusion command sequences were used as the association rules. Moreover, a novel
intrusion correlation algorithm was presented, which consider both the sequential
relations of every host intrusion class and the causal relations of different host
intrusion classes to compute the probability of the intrusions. The algorithm fully
embodies the complexity and diversity of host intrusion activities. Experimental results
show that this intrusion correlation model not only improves the detection rate but also
reduces the false alarm rate of host intrusion activities, especially reducing about 20
percents of the false alarm rate of downloading tools activities and gathering system
information activities of the intruders.
Keywords: network security; intrusion detection; host intrusion activity; sequence pattern
mining