ROOK: Multi-session based network security event detector

Masayoshi Mizutani; Shin Shirahata; Masaki Minami; Jun Murai

doi:10.1109/SAINT.2008.110

ROOK: Multi-session based network security event detector

Masayoshi Mizutani, Shin Shirahata, Masaki Minami, Jun Murai

University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.

Original language	English
Title of host publication	Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
Pages	48-54
Number of pages	7
DOIs	https://doi.org/10.1109/SAINT.2008.110
Publication status	Published - 2008
Event	2008 International Symposium on Applications and the Internet, SAINT 2008 - Turku, Finland Duration: 2008 Jul 28 → 2008 Aug 1

Publication series

Name	Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008

Other

Other	2008 International Symposium on Applications and the Internet, SAINT 2008
Country/Territory	Finland
City	Turku
Period	08/7/28 → 08/8/1

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications

Access to Document

10.1109/SAINT.2008.110

Cite this

ROOK: Multi-session based network security event detector. / Mizutani, Masayoshi; Shirahata, Shin; Minami, Masaki et al.
Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. p. 48-54 4604542 (Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Mizutani, M, Shirahata, S, Minami, M & Murai, J 2008, ROOK: Multi-session based network security event detector. in Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008., 4604542, Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008, pp. 48-54, 2008 International Symposium on Applications and the Internet, SAINT 2008, Turku, Finland, 08/7/28. https://doi.org/10.1109/SAINT.2008.110

@inproceedings{2dc89d438667470184bec6af17a09839,

title = "ROOK: Multi-session based network security event detector",

abstract = "We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.",

author = "Masayoshi Mizutani and Shin Shirahata and Masaki Minami and Jun Murai",

year = "2008",

doi = "10.1109/SAINT.2008.110",

language = "English",

isbn = "9780769532974",

series = "Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008",

pages = "48--54",

booktitle = "Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008",

}

TY - GEN

T1 - ROOK

T2 - 2008 International Symposium on Applications and the Internet, SAINT 2008

AU - Mizutani, Masayoshi

AU - Shirahata, Shin

AU - Minami, Masaki

AU - Murai, Jun

PY - 2008

Y1 - 2008

N2 - We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.

AB - We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.

UR - http://www.scopus.com/inward/record.url?scp=53849113665&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=53849113665&partnerID=8YFLogxK

U2 - 10.1109/SAINT.2008.110

DO - 10.1109/SAINT.2008.110

M3 - Conference contribution

AN - SCOPUS:53849113665

SN - 9780769532974

T3 - Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008

SP - 48

EP - 54

BT - Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008

Y2 - 28 July 2008 through 1 August 2008

ER -

ROOK: Multi-session based network security event detector

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this