Understanding the decision rules for partitioning logs of intrusion detection systems (IDS)

Abstract

Unauthorised accesses into computers are serious cyber warfare across the globe. Consequently, an intrusion detector is used for network forensics to maximally detect and report intrusions. The toolkit is generally designed to log tons of unauthorised activities with their respective attributes to assist in-depth analyses of the events. Unfortunately, there are several ways to cluster intrusive alerts. Besides, trade-offs between intra-cluster similarity and inter-cluster dissimilarity are difficult to discriminate failed attacks from successful attacks because the probabilities that some attacks will fail are often neglected during the investigations of audit logs. Consequently, the goodness of clusters of failed attacks is mismatched with that of successful attacks and accurate countermeasures are not often achieved. Therefore, this paper presents a partitioning clustering algorithm for reducing aforementioned problems. The model was evaluated using information gain and the results obtained demonstrated splitting criteria that best discriminate failed attacks in intrusion logs.