|
Information security and cryptography are cornerstones of the information society.
In fact, strong security mechanisms are needed to implement functions such as
the integrity of financial transactions, the accountability for electronic signatures,
the confidentiality within a virtual enterprise, the privacy of personal information,
or the availability of the critical infrastructure.
|
|
|
CLARAty
(CLustering Alerts for Root
cause Analysis = CLARA, and add -ty, for it
to sound like "clarity")
Background.
In the field of computer security, it is becoming an increasingly important problem
to manage an ever bigger flood of event messages. For example, intrusion detection
systems, firewalls, routers, security scanners and many other devices trigger
millions of alerts and notifications a day. This raises the problem of identifying
the truly security-relevant alerts and separating them from the mere notifications
or the false alarms.
Solution.
To solve this problem, we have designed a novel data mining algorithm that groups
and summarizes similar events. Thus we can compress huge event logs into small
and highly comprehensible summaries that a human expert can use to reason about
the root causes of events. In particular, our experience with intrusion detection
alerts has shown that, given these summaries, it is rather straightforward to
identify false alarms and to reconfigure the system so that it will trigger up
to 90% fewer false positives in the future.
Method.
The data mining technique we developed uses generalization hierarchies to continuously
generalize events. For example, IP addresses might be generalized to networks,
time stamps to the day of the week on which they fall, and completely unformatted
strings might be generalized to substrings that they contain. By generalizing
events in this way, previously distinct alerts might become identical so they
can be clustered.
|
|
