Title:
|
A CLUSTERING-BASED JUDGMENT METHOD
OF FALSE POSITIVE ALERTS |
Author(s):
|
Shinya Iwasaki, Tomo Kakuta, Yoshihiro Sekiguchi, Yukihiro Konishi, Tomoya Ohtori and Norihisa Komoda |
ISBN:
|
978-989-8533-92-0 |
Editors:
|
Ajith P. Abraham and Jörg Roth |
Year:
|
2019 |
Edition:
|
Single |
Keywords:
|
Cyber Security, Incident Response, Clustering, DBSCAN, K-means++, Anomaly Detection |
Type:
|
Full Paper |
First Page:
|
174 |
Last Page:
|
180 |
Language:
|
English |
Cover:
|
|
Full Contents:
|
click to dowload
|
Paper Abstract:
|
This paper proposes a clustering-based judgment method for false positive alerts generated by security devices. In the
proposed method, firstly, alerts with the same attack source IP address over a certain period of time in the past are
extracted. After the extraction, using the accumulated signature amount from extracted alerts, the alerts with similar
patterns are classified into several clusters using a method combining DBSCAN and K-means++. Then, the judgment of
false positive alerts is done based on the number of alerts in each cluster. From a trial usage of the proposed method on
two 7-day alert sets from two different networks, it was found that the recall rate was 100%, the precision rate was 34%,
and the F-measure was 50%. The precision rate was improved by more than ten times compared to K-means++ alone,
and about 2.4 times compared to DBSCAN alone. |
|
|
|
|