Online Mining of Attack Models in IDS Alerts from Network Backbone by a Two-Stage Clustering Method.

There is a big difference between the IDS alerts from the network backbone and those from the lab. But there is little work has been done to mine attack models in IDS alerts from the network backbone. The contributions of this paper are three-fold. First, we propose an alert reduction method based on statistical redundancy (RMSR) to reduce the alert redundancy. Second, we propose a two-stage clustering algorithm to analyze the spatial and temporal relation of the network intrusion behaviors' alert sequence. Third, we propose a novel approach, Loose Longest Common Subsequence (LLCS), to extract the attack models of network intrusion behaviors. The experiment result shows that the reduction approach reduces the IDS alerts redundancy efficiently, and the attack models generated have a strong logical relation.