Apply data mining to defense-in-depth network security system

This paper proposes a defense in depth network security architecture and applies the data mining technologies to analyze the alerts collected from distributed intrusion detection and prevention systems (IDS/IPS). The proposed defense in depth architecture consists of a global policy server (GPS) to manage the scattered intrusion detection and prevention systems, each of which is managed by a local policy server (LPS). The key component of the GPS is the security information management (SIM) module where data mining technology is employed to analyze the events (alerts) collected from the LPSs. Once a DDoS attack is recognized by the SIM module, the GPS informs the LPS (IDS/IPS) to adjust the thresholds immediately to block the attack from the sources. To evaluate the effectiveness of the proposed defense in depth architecture, a prototyping is implemented, where three different data mining tools are employed. Experiment results demonstrate that for detecting the DDOS attacks, the proposed data mining-based defense in depth architecture performs very well on attack detection rate and false alarm rate.