Abstract
In this paper we describe a data mining framework for constructingintrusion detection models. The first key idea is to mine system auditdata for consistent and useful patterns of program and user behavior.The other is to use the set of relevant system features presented inthe patterns to compute inductively learned classifiers that canrecognize anomalies and known intrusions. In order for the classifiersto be effective intrusion detection models, we need to have sufficientaudit data for training and also select a set of predictive systemfeatures. We propose to use the association rules and frequentepisodes computed from audit data as the basis for guiding the auditdata gathering and feature selection processes. We modify these twobasic algorithms to use axis attribute(s) and referenceattribute(s) as forms of item constraints to compute only therelevant patterns. In addition, we use an iterative level-wiseapproximate mining procedure to uncover the low frequency butimportant patterns. We use meta-learning as a mechanism to makeintrusion detection models more effective and adaptive. We report ourextensive experiments in using our framework on real-world audit data.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agrawal, R., Imielinski, T. & Swami, A. (1993). Mining Association Rules between Sets of Items in Large Databases. In Proceedings of the ACM SIGMOD Conference on Management of Data, 207-216.
Agrawal, R. & Srikant, R. (1994). Fast Algorithms for Mining Association Rules. In Proceedings of the 20th VLDB Conference. Santiago, Chile.
Agrawal, R. & Srikant, R. (1995). Mining Sequential Patterns. In Proceedings of the 11th International Conference on Data Engineering. Taipei, Taiwan.
Bellovin, S.M. (1989). Security Problems in the TCP/IP Protocol Suite. Computer Communication Review 19(2): 32-48.
Chan, P.K. & Stolfo, S.J. (1993). Toward Parallel and Distributed Learning by Meta-Learning. In AAAI Workshop in Knowledge Discovery in Databases, 227-240.
Cohen, W.W. (1995). Fast Effective Rule Induction. In Machine Learning: the 12th International Conference. Lake Taho, CA.
Fawcett, T. & Provost, F. (1997). Adaptive Fraud Detection. Data Mining and Knowledge Discovery 1: 291-316.
Forrest, S., Hofmeyr, S.A., Somayaji, A. & Longstaff, T.A. (1996). A Sense of Self for Unix Processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, 120-128. Los Alamitos, CA.
Grampp, F.T. & Morris, R.H. (1984). Unix System Security. AT&T Bell Laboratories Technical Journal 63(8): 1649-1672.
Han, J. & Fu, Y. (1995). Discovery of Multiple-Level Association Rules from Large Databases. In Proceedings of the 21th VLDB Conference. Zurich, Switzerland.
Heady, R., Luger, G., Maccabe, A. & Servilla,M. (1990). The Architecture of a Network Level Intrusion Detection System. Technical report, Computer Science Department, University of New Mexico.
Ilgun, K., Kemmerer, R.A. & Porras, P.A. (1995). State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software Engineering 21(3): 181-199.
Jacobson, V., Leres, C. & McCanne, S. (1989). tcpdump. available via anonymous ftp to ftp.ee.lbl.gov.
Klemettinen, M., Mannila, H., Ronkainen, P., Toivonen, H. & Verkamo, A.I. (1994). Finding Interesting Rules from Large Sets of Discovered Association Rules. In Proceedings of the 3rd International Conference on Information and Knowledge Management (CIKM'94), 401-407. Gainthersburg, MD.
Kumar, S. & Spafford, E.H. (1995). A Software Architecture to Support Misuse Intrusion Detection. In Proceedings of the 18th National Information Security Conference, 194-204.
Lane, T. & Brodley, C.E. (1997). Sequence Matching and Learning in Anomaly Detection for Computer Security. In AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, 43-49.
Lee, W. & Stolfo, S.J. (1998). Data Mining Approaches for Intrusion Detection. In Proceedings of the 7th USENIX Security Symposium. San Antonio, TX.
Lee, W., Stolfo, S.J. & Mok, K.W. (1998). Mining Audit Data to Build Intrusion Detection Models. In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining. New York, NY.
Lee, W., Stolfo, S.J. & Mok, K.W. (1999). Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99).
Lent, B., Swami, A. & Widom, J. (1997). Clustering Association Rules. In Proceedings of the 13th International Conference on Data Engineering. Birmingham, UK.
Lunt, T. (1993). Detecting Intruders in Computer Systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology.
Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A. & Garvey, T. (1992). A Real-time Intrusion Detection Expert System (IDES)-Final Technical Report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California.
Mannila, H. & Toivonen, H. (1996). Discovering Generalized Episodes Using Minimal Occurrences. In Proceedings of the 2nd International Conference on Knowledge Discovery in Databases and Data Mining. Portland, Oregon.
Mannila, H., Toivonen, H. & Verkamo, A.I. (1995). Discovering Frequent Episodes in Sequences. In Proceedings of the 1st International Conference on Knowledge Discovery in Databases and Data Mining. Montreal, Canada.
McClure, S., Scambray, J. & Broderick, J. (1998). Test Center Comparison: Network Intrusion-detection Solutions. In INFOWORLD May 4, 1998.
Srikant, R., Vu, Q. & Agrawal, R. (1997). Mining Association Rules with Item Constraints. In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, 67-73. Newport Beach, California.
Stolfo, S.J., Prodromidis, A.L., Tselepis, S., Lee, W., Fan, D.W. & Chan, P.K. (1997). JAM: Java Agents for Meta-Learning over Distributed Databases. In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, 74-81. Newport Beach, CA.
Utgoff, P.E., Berkman, N.C. & Clouse, J.A. (1997). Decision Tree Induction Based on Efficient Tree Restructuring. Machine Learning 29: 5-44.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Lee, W., Stolfo, S.J. & Mok, K.W. Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14, 533–567 (2000). https://doi.org/10.1023/A:1006624031083
Issue Date:
DOI: https://doi.org/10.1023/A:1006624031083