Attack Scenario Construction Based on Rule and Fuzzy Clustering

  • Linru Ma
  • Lin Yang
  • Jianxin Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3802)


Correlation of intrusion alerts is a major technique in attack detection to build attack scenario. Rule-based and data mining methods have been used in some previous proposals to perform correlation. In this paper we integrate two complementary methods and introduce fuzzy clustering in the data mining method. To determine the fuzzy similarity coefficients, we introduce a hierarchy measurement and use weighted average to compute total similarity. This mechanism can measure the semantic distance of intrusion alerts with finer granularity than the common similarity measurement . The experimental results in this paper show that using fuzzy clustering method can reconstruct attack scenario which are wrecked by missed attacks.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, D.C., pp. 245–254 (2002)Google Scholar
  2. 2.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)CrossRefGoogle Scholar
  4. 4.
    Jin, H., Sun, J.: A Fuzzy Data Mining Based Intrusion Detection Model. In: Proceedings of the 10th IEEE International Workshop on Future Trends of Distributed Computing Systems, FTDCS 2004 (2004)Google Scholar
  5. 5.
    Liu, P.Y., Wu, M.D.: Fuzzy theory and its applications. National University of Defense Technology Press, China (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Linru Ma
    • 1
  • Lin Yang
    • 2
  • Jianxin Wang
    • 2
  1. 1.School of Electronic Science and EngineeringNational University of Defense TechnologyChangshaChina
  2. 2.Institute of China Electronic System EngineeringBeijingChina

Personalised recommendations