ROOK: Multi-session based network security event detector

Masayoshi Mizutani, Shin Shirahata, Masaki Minami, Jun Murai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.

Original languageEnglish
Title of host publicationProceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
Pages48-54
Number of pages7
DOIs
Publication statusPublished - 2008
Event2008 International Symposium on Applications and the Internet, SAINT 2008 - Turku, Finland
Duration: 2008 Jul 282008 Aug 1

Other

Other2008 International Symposium on Applications and the Internet, SAINT 2008
CountryFinland
CityTurku
Period08/7/2808/8/1

Fingerprint

Network security
Detectors
Experiments

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Mizutani, M., Shirahata, S., Minami, M., & Murai, J. (2008). ROOK: Multi-session based network security event detector. In Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008 (pp. 48-54). [4604542] https://doi.org/10.1109/SAINT.2008.110

ROOK : Multi-session based network security event detector. / Mizutani, Masayoshi; Shirahata, Shin; Minami, Masaki; Murai, Jun.

Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. p. 48-54 4604542.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Mizutani, M, Shirahata, S, Minami, M & Murai, J 2008, ROOK: Multi-session based network security event detector. in Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008., 4604542, pp. 48-54, 2008 International Symposium on Applications and the Internet, SAINT 2008, Turku, Finland, 08/7/28. https://doi.org/10.1109/SAINT.2008.110
Mizutani M, Shirahata S, Minami M, Murai J. ROOK: Multi-session based network security event detector. In Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. p. 48-54. 4604542 https://doi.org/10.1109/SAINT.2008.110
Mizutani, Masayoshi ; Shirahata, Shin ; Minami, Masaki ; Murai, Jun. / ROOK : Multi-session based network security event detector. Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. pp. 48-54
@inproceedings{2dc89d438667470184bec6af17a09839,
title = "ROOK: Multi-session based network security event detector",
abstract = "We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.",
author = "Masayoshi Mizutani and Shin Shirahata and Masaki Minami and Jun Murai",
year = "2008",
doi = "10.1109/SAINT.2008.110",
language = "English",
isbn = "9780769532974",
pages = "48--54",
booktitle = "Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008",

}

TY - GEN

T1 - ROOK

T2 - Multi-session based network security event detector

AU - Mizutani, Masayoshi

AU - Shirahata, Shin

AU - Minami, Masaki

AU - Murai, Jun

PY - 2008

Y1 - 2008

N2 - We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.

AB - We have implemented Multi-Session based Network Security Event Detector: ROOK to detect botnet activity and P2P file sharing traffic and our results show that our method is less false positives than existing network security event detectors (e.g. IDS). We proposed a network security event detection method by analyzing correlation among multiple sessions. Our method can recognize hosts behaviors by rules that describe multi-session correlations: a rule includes the order of starting sessions and information exchange between sessions. By this method, ROOK detected DNS and IRC activities of bots in the experiment.

UR - http://www.scopus.com/inward/record.url?scp=53849113665&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=53849113665&partnerID=8YFLogxK

U2 - 10.1109/SAINT.2008.110

DO - 10.1109/SAINT.2008.110

M3 - Conference contribution

AN - SCOPUS:53849113665

SN - 9780769532974

SP - 48

EP - 54

BT - Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008

ER -