Intrusion signature creation via clustering anomalies

Show simple item record

dc.contributor.author Hendry, Gilbert
dc.contributor.author Yang, Shanchieh
dc.date.accessioned 2009-11-11T15:36:58Z
dc.date.available 2009-11-11T15:36:58Z
dc.date.issued 2008
dc.identifier.citation Proceedings of SPIE Security and Defense Symposium, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security Conference, Orlando, Florida, March 16-20, 2008 en_US
dc.identifier.uri http://hdl.handle.net/1850/10767
dc.description.abstract Current practices for combating cyber attacks typically use Intrusion Detection Systems (IDSs) to detect and block multistage attacks. Because of the speed and impacts of new types of cyber attacks, current IDSs are limited in providing accurate detection while reliably adapting to new attacks. In signature-based IDS systems, this limitation is made apparent by the latency from day zero of an attack to the creation of an appropriate signature. This work hypothesizes that this latency can be shortened by creating signatures via anomaly-based algorithms. A hybrid supervised and unsupervised clustering algorithm is proposed for new signature creation. These new signatures created in real-time would take effect immediately, ideally detecting new attacks. This work first investigates a modified density-based clustering algorithm as an IDS, with its strengths and weaknesses identified. A signature creation algorithm leveraging the summarizing abilities of clustering is investigated. Lessons learned from the supervised signature creation are then leveraged for the development of unsupervised real-time signature classification. Automating signature creation and classification via clustering is demonstrated as satisfactory but with limitations. en_US
dc.language.iso en_US en_US
dc.publisher SPIE en_US
dc.subject Adaptive signatures en_US
dc.subject Clustering en_US
dc.subject Intrusion detection en_US
dc.title Intrusion signature creation via clustering anomalies en_US
dc.type Proceedings en_US

Files in this item

Files Size Format View
SYangConfProc2008.pdf 333.6Kb PDF View/Open

This item appears in the following Collection(s)

Show simple item record

Search RIT DML


Advanced Search

Browse