Title: Understanding the decision rules for partitioning logs of intrusion detection systems (IDS)

Authors: Joshua Ojo Nehinbe

Addresses: School of Computer Science and Electronic Engineering Systems, University of Essex, CO4 3SQ, Colchester, UK

Abstract: Unauthorised accesses into computers are serious cyber warfare across the globe. Consequently, an intrusion detector is used for network forensics to maximally detect and report intrusions. The toolkit is generally designed to log tons of unauthorised activities with their respective attributes to assist in-depth analyses of the events. Unfortunately, there are several ways to cluster intrusive alerts. Besides, trade-offs between intra-cluster similarity and inter-cluster dissimilarity are difficult to discriminate failed attacks from successful attacks because the probabilities that some attacks will fail are often neglected during the investigations of audit logs. Consequently, the goodness of clusters of failed attacks is mismatched with that of successful attacks and accurate countermeasures are not often achieved. Therefore, this paper presents a partitioning clustering algorithm for reducing aforementioned problems. The model was evaluated using information gain and the results obtained demonstrated splitting criteria that best discriminate failed attacks in intrusion logs.

Keywords: intrusion detection systems; IDS; information gain; good clusters; bad clusters; decision rules; partitioning clustering; audit logs; splitting criteria; failed attacks; intrusion logs.

DOI: 10.1504/IJITST.2011.041297

International Journal of Internet Technology and Secured Transactions, 2011 Vol.3 No.3, pp.293 - 309

Published online: 29 Nov 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article