Skip to main content
SpringerLink
Log in

Abstracting Audit Data for Lightweight Intrusion Detection

  • Conference paper
Information Systems Security (ICISS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6503))

Included in the following conference series:

Abstract

High speed of processing massive audit data is crucial for an anomaly Intrusion Detection System (IDS) to achieve real-time performance during the detection. Abstracting audit data is a potential solution to improve the efficiency of data processing. In this work, we propose two strategies of data abstraction in order to build a lightweight detection model. The first strategy is exemplar extraction and the second is attribute abstraction. Two clustering algorithms, Affinity Propagation (AP) as well as traditional k-means, are employed to extract the exemplars, and Principal Component Analysis (PCA) is employed to abstract important attributes (a.k.a. features) from the audit data. Real HTTP traffic data collected in our institute as well as KDD 1999 data are used to validate the two strategies of data abstraction. The extensive test results show that the process of exemplar extraction significantly improves the detection efficiency and has a better detection performance than PCA in data abstraction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Beale, J., Baker, A.R., Caswell, B.: Snort 2.1 Intrusion Detection, 2nd edn. Syngress Press (2004)

    Google Scholar 

  2. Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: IEEE S&P (1999)

    Google Scholar 

  3. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  4. Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE S&P (1996)

    Google Scholar 

  6. Guan, X., Wang, W., Zhang, X.: Fast intrusion detection based on a non-negative matrix factorization model. J. Network and f Applications 32(1), 31–44 (2009)

    Article  Google Scholar 

  7. Wang, W., Guan, X., Zhang, X., Yang, L.: Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Computers & Security 25(7), 539–550 (2006)

    Article  Google Scholar 

  8. Liao, Y., Vemuri, V.R.: Using text categorization techniques for intrusion detection. In: USENIX Security Symposium (2002)

    Google Scholar 

  9. Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Inf. Process. Lett. 76(1-2) (2000)

    Google Scholar 

  10. Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications 31(1), 58–72 (2008)

    Article  Google Scholar 

  11. Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  12. Krügel, C., Vigna, G.: Anomaly detection of web-based attacks. In: ACM CCS (2003)

    Google Scholar 

  13. Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In: NDSS (2009)

    Google Scholar 

  14. Robertson, W.K., Vigna, G., Krügel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: NDSS

    Google Scholar 

  15. Brauckhoff, D., Salamatian, K., May, M.: A signal-processing view on packet sampling and anomaly detection. In: INFOCOM (2010)

    Google Scholar 

  16. Brauckhoff, D., Tellenbach, B., Wagner, A., Lakhina, A., May, M.: Impact of packet sampling on anomaly detection metrics. In: Internet Measurement Conference, IMC (2006)

    Google Scholar 

  17. Frey, B.J., Dueck, D.: Clustering by passing messages between data points. Science 315(5814), 972–976 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  18. MacQueen, J.B.: Some methods for classification and analysis of multivariate observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability (1967)

    Google Scholar 

  19. Denning, D.E.: An intrusion-detection model. IEEE Trans. Software Eng. 13(2), 222–232 (1987)

    Article  Google Scholar 

  20. Smaha, S.E.: Haystack: An intrusion detection system. In: Proceedings of the IEEE Fourth Aerospace Computer Security Applications Conference (1988)

    Google Scholar 

  21. Cretu, G.F., Stavrou, A., Locasto, M.E., Stolfo, S.J., Keromytis, A.D.: Casting out demons: Sanitizing training data for anomaly sensors. In: IEEE S&P (2008)

    Google Scholar 

  22. KDD-Data: Kdd cup 1999 data (1999), http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (retrieved March 2009)

  23. Shyu, M., Chen, S., Sarinnapakorn, K., Chang, L.: A novel anomaly detection scheme based on principal component classifier. In: IEEE Foundations and New Directions of Data Mining Workshop (2003)

    Google Scholar 

  24. Sung, A.H., Mukkamala, S.: Feature selection for intrusion detection using neural networks and support vector machines. In: 82nd Annual Meeting of the Transportation Research Board (2003)

    Google Scholar 

  25. Wang, W., Gombault, S., Guyet, T.: Towards fast detecting intrusions: using key attributes of network traffic. In: ICIMP (July 2008)

    Google Scholar 

  26. Li, Y., Lu, T.B., Guo, L., Tian, Z.H., Qi, L.: Optimizing network anomaly detection scheme using instance selection mechanism. In: Proceedings of the 28th IEEE Conference on Global Telecommunications, GLOBECOM 2009, Piscataway, NJ, USA, pp. 425–431. IEEE Press, Los Alamitos (2009)

    Google Scholar 

  27. Wang, W., Zhang, X., Gombault, S.: Constructing attribute weights from computer audit data for effective intrusion detection. J. Sys. and Soft. 82(12) (2009)

    Google Scholar 

  28. Schölkopf, B., Platt, J.C., Shawe-Taylor, J., Smola, A.J., Williamson, R.C.: Estimating the support of a high-dimensional distribution. Neural Computation 13(7), 1443–1471 (2001)

    Article  MATH  Google Scholar 

  29. Liao, Y., Vemuri, V.R., Pasos, A.: Adaptive anomaly detection with evolving connectionist systems. J. Network and Computer Applications 30(1) (2007)

    Google Scholar 

  30. Manevitz, L.M., Yousef, M.: One-class svms for document classification. Journal of Machine Learning Research 2, 139–154 (2001)

    MATH  Google Scholar 

  31. Jolliffe, I.T.: Principal Component Analysis, 2nd edn. Springer, Berlin (2002)

    MATH  Google Scholar 

  32. Zhang, X., Furtlehner, C., Sebag, M.: Data streaming with affinity propagation. In: Daelemans, W., Goethals, B., Morik, K. (eds.) ECML PKDD 2008, Part II. LNCS (LNAI), vol. 5212, pp. 628–643. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  33. McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 3(4), 262–294 (2000)

    Article  Google Scholar 

  34. Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines (2001), Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm

Download references

Author information

Authors and Affiliations

  1. Interdisciplinary Centre for Security, Reliability and Trust (SnT Centre), Université du Luxembourg, Luxembourg

    Wei Wang

  2. Mathematical and Computer Sciences and Engineering Division, King Abdullah University of Science and Technolgy (KAUST), Saudi Arabia

    Xiangliang Zhang

  3. Faculty of Science, Technology and Communication, Université du Luxembourg, Luxembourg

    Georgios Pitsilis

Authors
  1. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiangliang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Georgios Pitsilis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar, 382007, Gujarat, India

    Anish Mathuria

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, W., Zhang, X., Pitsilis, G. (2010). Abstracting Audit Data for Lightweight Intrusion Detection. In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17714-9_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17713-2

  • Online ISBN: 978-3-642-17714-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation