Advertisement

Artificial Intelligence Review

, Volume 14, Issue 6, pp 533–567 | Cite as

Adaptive Intrusion Detection: A Data Mining Approach

  • Wenke Lee
  • Salvatore J. Stolfo
  • Kui W. Mok
Article

Abstract

In this paper we describe a data mining framework for constructingintrusion detection models. The first key idea is to mine system auditdata for consistent and useful patterns of program and user behavior.The other is to use the set of relevant system features presented inthe patterns to compute inductively learned classifiers that canrecognize anomalies and known intrusions. In order for the classifiersto be effective intrusion detection models, we need to have sufficientaudit data for training and also select a set of predictive systemfeatures. We propose to use the association rules and frequentepisodes computed from audit data as the basis for guiding the auditdata gathering and feature selection processes. We modify these twobasic algorithms to use axis attribute(s) and referenceattribute(s) as forms of item constraints to compute only therelevant patterns. In addition, we use an iterative level-wiseapproximate mining procedure to uncover the low frequency butimportant patterns. We use meta-learning as a mechanism to makeintrusion detection models more effective and adaptive. We report ourextensive experiments in using our framework on real-world audit data.

association rules audit data classification feature construction frequent episodes intrusion detection 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Agrawal, R., Imielinski, T. & Swami, A. (1993). Mining Association Rules between Sets of Items in Large Databases. In Proceedings of the ACM SIGMOD Conference on Management of Data, 207-216.Google Scholar
  2. Agrawal, R. & Srikant, R. (1994). Fast Algorithms for Mining Association Rules. In Proceedings of the 20th VLDB Conference. Santiago, Chile.Google Scholar
  3. Agrawal, R. & Srikant, R. (1995). Mining Sequential Patterns. In Proceedings of the 11th International Conference on Data Engineering. Taipei, Taiwan.Google Scholar
  4. Bellovin, S.M. (1989). Security Problems in the TCP/IP Protocol Suite. Computer Communication Review 19(2): 32-48.Google Scholar
  5. Chan, P.K. & Stolfo, S.J. (1993). Toward Parallel and Distributed Learning by Meta-Learning. In AAAI Workshop in Knowledge Discovery in Databases, 227-240.Google Scholar
  6. Cohen, W.W. (1995). Fast Effective Rule Induction. In Machine Learning: the 12th International Conference. Lake Taho, CA.Google Scholar
  7. Fawcett, T. & Provost, F. (1997). Adaptive Fraud Detection. Data Mining and Knowledge Discovery 1: 291-316.Google Scholar
  8. Forrest, S., Hofmeyr, S.A., Somayaji, A. & Longstaff, T.A. (1996). A Sense of Self for Unix Processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, 120-128. Los Alamitos, CA.Google Scholar
  9. Grampp, F.T. & Morris, R.H. (1984). Unix System Security. AT&T Bell Laboratories Technical Journal 63(8): 1649-1672.Google Scholar
  10. Han, J. & Fu, Y. (1995). Discovery of Multiple-Level Association Rules from Large Databases. In Proceedings of the 21th VLDB Conference. Zurich, Switzerland.Google Scholar
  11. Heady, R., Luger, G., Maccabe, A. & Servilla,M. (1990). The Architecture of a Network Level Intrusion Detection System. Technical report, Computer Science Department, University of New Mexico.Google Scholar
  12. Ilgun, K., Kemmerer, R.A. & Porras, P.A. (1995). State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software Engineering 21(3): 181-199.Google Scholar
  13. Jacobson, V., Leres, C. & McCanne, S. (1989). tcpdump. available via anonymous ftp to ftp.ee.lbl.gov.Google Scholar
  14. Klemettinen, M., Mannila, H., Ronkainen, P., Toivonen, H. & Verkamo, A.I. (1994). Finding Interesting Rules from Large Sets of Discovered Association Rules. In Proceedings of the 3rd International Conference on Information and Knowledge Management (CIKM'94), 401-407. Gainthersburg, MD.Google Scholar
  15. Kumar, S. & Spafford, E.H. (1995). A Software Architecture to Support Misuse Intrusion Detection. In Proceedings of the 18th National Information Security Conference, 194-204.Google Scholar
  16. Lane, T. & Brodley, C.E. (1997). Sequence Matching and Learning in Anomaly Detection for Computer Security. In AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, 43-49.Google Scholar
  17. Lee, W. & Stolfo, S.J. (1998). Data Mining Approaches for Intrusion Detection. In Proceedings of the 7th USENIX Security Symposium. San Antonio, TX.Google Scholar
  18. Lee, W., Stolfo, S.J. & Mok, K.W. (1998). Mining Audit Data to Build Intrusion Detection Models. In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining. New York, NY.Google Scholar
  19. Lee, W., Stolfo, S.J. & Mok, K.W. (1999). Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99).Google Scholar
  20. Lent, B., Swami, A. & Widom, J. (1997). Clustering Association Rules. In Proceedings of the 13th International Conference on Data Engineering. Birmingham, UK.Google Scholar
  21. Lunt, T. (1993). Detecting Intruders in Computer Systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology.Google Scholar
  22. Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A. & Garvey, T. (1992). A Real-time Intrusion Detection Expert System (IDES)-Final Technical Report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California.Google Scholar
  23. Mannila, H. & Toivonen, H. (1996). Discovering Generalized Episodes Using Minimal Occurrences. In Proceedings of the 2nd International Conference on Knowledge Discovery in Databases and Data Mining. Portland, Oregon.Google Scholar
  24. Mannila, H., Toivonen, H. & Verkamo, A.I. (1995). Discovering Frequent Episodes in Sequences. In Proceedings of the 1st International Conference on Knowledge Discovery in Databases and Data Mining. Montreal, Canada.Google Scholar
  25. McClure, S., Scambray, J. & Broderick, J. (1998). Test Center Comparison: Network Intrusion-detection Solutions. In INFOWORLD May 4, 1998.Google Scholar
  26. Srikant, R., Vu, Q. & Agrawal, R. (1997). Mining Association Rules with Item Constraints. In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, 67-73. Newport Beach, California.Google Scholar
  27. Stolfo, S.J., Prodromidis, A.L., Tselepis, S., Lee, W., Fan, D.W. & Chan, P.K. (1997). JAM: Java Agents for Meta-Learning over Distributed Databases. In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, 74-81. Newport Beach, CA.Google Scholar
  28. Utgoff, P.E., Berkman, N.C. & Clouse, J.A. (1997). Decision Tree Induction Based on Efficient Tree Restructuring. Machine Learning 29: 5-44.Google Scholar

Copyright information

© Kluwer Academic Publishers 2000

Authors and Affiliations

  • Wenke Lee
    • 1
  • Salvatore J. Stolfo
    • 2
  • Kui W. Mok
    • 3
  1. 1.Computer Science DepartmentNorth Carolina State UniversityRaleigh
  2. 2.Computer Science DepartmentColumbia UniversityNew York
  3. 3.Morgan Stanley Dean Witter & Co.New York

Personalised recommendations