Download - Academy Publisher
Download - Academy Publisher
Download - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
aggregated to form the alarm flow. The aggregated flow<br />
revealed not only the overall regularities but also the<br />
behaviors of malicious events, even though the<br />
significance of individual alarms was unclear. Therefore,<br />
the flow characterization can be beneficial in enabling the<br />
administrator to have a real-time view of security threat<br />
situation.<br />
Because of the dynamic characteristics of network<br />
environments, alarm flow is dynamic, huge, infinite and<br />
fast changing. So traditional stationary time series<br />
analysis techniques can not work well to adapt to changes<br />
in the flow. To overcome this problem, we apply Singular<br />
Spectrum Analysis (SSA) [14] approach on the alarm<br />
flow to process threat evaluations. We found that the<br />
alarm flow has a small intrinsic dimension, and the<br />
structure of alarm flow can be decomposed by two<br />
subsets of principal components, that is, the subset of<br />
leading components and the subset of residual<br />
components. Base on this, we can reconstruct the two<br />
parts of the original alarm flow, then threat situations<br />
hidden in the flow are visible and threat trends can be<br />
predicated.<br />
The rest of the paper is organized as follows. In<br />
Section 2, apply the SSA on the alarm flows, the leading<br />
components which are responsible for the basic parts of<br />
the flow, and the residual components which represents<br />
noise part of the flow are separated. Section 3 process the<br />
threat evaluation with case studies and experiments.<br />
Section 4 concludes the paper and outlines future work<br />
II. SSA-BASED FLOW DECOMPOSITION<br />
The SSA method is a powerful non-parametric<br />
technique of time series analysis, and based on principles<br />
of multivariate statistics. It has been applied to many<br />
areas such as analyzing meteorological, climatic and<br />
geophysical time series [15]. The aim we using SSA is to<br />
make a in-depth understanding of the structures of the<br />
alarm flow. To understand the main features of the<br />
components forming the alarm flow is critical for threat<br />
evaluations.<br />
Considering the original alarm flow X(t), we assume it<br />
can be described by two parts: σ ( t)<br />
and ε ( t)<br />
; that is, a<br />
decomposition of X(t) into a sum of two series:<br />
xt = σ<br />
t<br />
+ εt<br />
, where, the series σ ( t)<br />
are associated with<br />
leading components of the flow, which forms the basic<br />
part of the information. It can be well approximated by<br />
linear recurrence formula σ<br />
t<br />
= ασ +Lα σ of order<br />
1 t−1<br />
d t−d<br />
d with coefficients α L α . This implies that the basic<br />
1 d<br />
part of the flow smooth enough to be modeled as<br />
weighted sum of previous observations. Then, the ε ( t)<br />
represents the residual components of the flow, which<br />
capture the small variations, and it cannot be well<br />
approximated by the finite-difference equations. In other<br />
word, it do not fit in the basic part of the alarm flow and<br />
can be interpreted as noise part of the flow. The noise<br />
may be a interference to the threat evaluations.<br />
Then, we apply SSA to separate the two parts of the<br />
alarm flow. The process consists of four main steps,<br />
which are performed as flows:<br />
·Step 1: Embedding. Let X(t){ x t : 1