Efficient Mining and Detection of Sequential Intrusion Patterns for Network Intrusion Detection Systems

In recent years, pervasive computing infrastructures have greatly improved the interaction between human and system. As we put more reliance on these computing infrastructures, we also face threats of network intrusion and/or any new forms of undesirable IT-based activities. Hence, network security has become an extremely important issue, which is closely connected with homeland security, business transactions, and people's daily life. Accurate and efficient intrusion detection technologies are required to safeguard the network systems and the critical information transmitted in the network systems. In this chapter, a novel network intrusion detection framework for mining and detecting sequential intrusion patterns is proposed. The proposed framework consists of a Collateral Representative Subspace Projection Modeling (C-RSPM) component for supervised classification, and an inter-transactional association rule mining method based on Layer Divided Modeling (LDM) for temporal pattern analysis. Experiments on the KDD99 data set and the traffic data set generated by a private LAN testbed show promising results with high detection rates, low processing time, and low false alarm rates in mining and detecting sequential intrusion detections.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Reference

  1. [1]
    Agrawal R, Swami A (1993) Mining association rules between sets of items in large data-bases. In: Proceedings of the ACM SIGMOD conference on management of data: 207-216.Google Scholar
  2. [2]
    Alam M.S, Vuong S.T (2007) APHIDS++: A mobile agent based intrusion detection system. In: Proceedings of the 2nd international conference on communication systems software and middleware: 1-6. doi: 10.1109/COMSW A.2007.382483.Google Scholar
  3. [3]
    Anderson D, Frivold T, Anderson A (1995) Next-generation intrusion detection expert system (NIDES): A summary. In: SRI international technical report 95: 28-42. Menlo Park, CA.Google Scholar
  4. [4]
    Basicevic F, Popovic M, Kovacevic V (2005) The use of distributed network-based IDS systems in detection of evasion attacks. In: Proceedings of the advanced industrial conference on telecommunications/service assurance with partial and intermittent resources conference/e-learning on telecommunications workshop. AICT/SAPIR/ELETE: 78-82.Google Scholar
  5. [5]
    Boonjing V, Songram P (2007) Efficient algorithms for mining closed multidimensional sequential patterns. In: Proceedings of the 4th international conference on fuzzy systems and knowledge discovery 2: 749-753.Google Scholar
  6. [6]
    Ertoz L, Eilertson E, Lazarevic A, Tan P, Srevastava J, Kumar V, Dokas P (2004) The MINDS — Minnesota intrusion detection system. Next generation data mining. MIT Press, Cambridge, MA.Google Scholar
  7. [7]
    Esparza O, Soriano M, Munoz J.L, Forne J (2003) A protocol for detecting malicious hosts based on limiting the execution time of mobile agents. In: Proceedings of the 8th IEEE international symposium on computers and communication: 251-256.Google Scholar
  8. [8]
  9. [9]
    Han J, Gong W, Yin Y (1998) Mining segment-wise periodic patterns in time-related databases. In: Proceedings of the international conference on knowledge discovery and data mining: 214-218.Google Scholar
  10. [10]
    Han J, Lu H, Feng L (1998) Stock movement prediction and n-dimensional intertransaction association rules. In: Proceedings of the 1998 SIGMOD workshop research issues on data mining and knowledge discovery 12: 1-7.Google Scholar
  11. [11]
    Han J, Pei J, Yin Y (2000) Mining frequent patterns without candidate generation. In: Proceedings of the ACM SIGMOD international conference on management of data (SIGMOD'00): 1-12.Google Scholar
  12. [12]
    Helmer G, Wong J, HONAVAR V, MILLER L, WANG Y (2003) Lightweight agents for intrusion detection. J Syst Softw 67: 109-122.CrossRefGoogle Scholar
  13. [13]
    Hochberg J, Jackson K, Stallings C, Mcclary J, Dubois D, Ford J (1993) NADIR: An automated system for detecting network intrusions and misuse. Comput Secur 12: 235-248.CrossRefGoogle Scholar
  14. [14]
    Huang K, Chang C, Lin K (2004) Prowl: An efficient frequent continuity mining algorithm on event sequences. In: Proceedings of the 6th international conference on data warehousing and knowledge discovery (DaWak'04), Lecture Notes in Computer Science 3181: 351-360.Google Scholar
  15. [15]
    Kannadiga P, Zulkernine M (2005) DIDMA: A distributed intrusion detection system using mobile agents. In: Proceedings of the 6th international conference on software engineering, artificial intelligence, networking and parallel and distributed computing. 238-245.Google Scholar
  16. [16]
    KDD (1999) KDD cup 1999 data. http://kdd.ics.uci.edu/databases/kddcup99/.
  17. [17]
    Labib K, Vemuri V (2004) Detecting and visualizing Denial-of-Service and network probe attacks using principal component analysis. In: The 3rd conference on security and network architectures (SAR'04). La Londe, France.Google Scholar
  18. [18]
    Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the third SIAM conference on data mining. San Francisco, CA.Google Scholar
  19. [19]
    Lee W, Stolfo S (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inform Syst Secur 3: 227-261.CrossRefGoogle Scholar
  20. [20]
    Ozden B, Ramaswamy S, Silberschatz A (1998) Cyclic association rules. In: Proceedings of the 14th international conference on data engineering: 412-421.Google Scholar
  21. [21]
    Paek S, Oh Y, Yun J, Lee D (2006) The architecture of host-based intrusion detection model generation system for the frequency per system call. In: Proceedings of the international conference on hybrid information technology (ICHIT'06) 2: 277-283.Google Scholar
  22. [22]
    Quinlan J (1993) C4.5: Programs for machine learning. Morgan Kaufmann, San Fracisco, CA.Google Scholar
  23. [23]
    Quirino T, Xie Z, Shyu M, Chen S, Chang L (2006) Collateral representative subspace projection modeling for supervised classification. In: Proceedings of the 18th IEEE international conference on tools with artificial intelligence (ICTAI'06): 98-105.Google Scholar
  24. [24]
    Ramakrishnan V, Kumar R.A, John S (2007) Intrusion detection using protocol-based non-conformance to trusted behaviors. In: Proceedings of navigation and surveillance conference (ICNS '07): 1-12.Google Scholar
  25. [25]
    Ray P (2007) Host based intrusion detection architecture for mobile ad hoc networks. In: Proceedings of the 9th international conference on advanced communication technology 3: 1942-1946.Google Scholar
  26. [26]
    Shyu M, Quirino T, Xie Z, Chen S, Chang L (2007) Network intrusion detection through adaptive sub-eigenspace modeling in multiagent systems. ACM Transactions on Autonomous and Adaptive Systems 2(3): 1-37.CrossRefGoogle Scholar
  27. [27]
    Snapp S, Bretano J, Dias G, Goan T, Hebrlein L, Ho C, Levitt K, Mukherjee B, Smaha S,Grance T, Teal D, Mansur D (1991) DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype. In: Proceedings of the 14th national computer science conference. Washington D.C.: 167-176.Google Scholar
  28. [28]
    TCPTRACE (2008) Available at http://www.tcptrace.org/.
  29. [29]
    Tou J, Gonzalez R (1974) Pattern recognition principles. Addison-Wesley, MA.MATHGoogle Scholar
  30. [30]
    Tsai M, Lin S, Tseng S (2003) Protocol based foresight anomaly intrusion detection system. In: Proceedings of IEEE the 37th annual 2003 international carnahan conference: 493-500.Google Scholar
  31. [31]
    Tung A, Lu H, Han J, Feng L (2003) Efficient mining of intertransaction association rules. IEEE transactions on knowledge and data engineering 15(1): 43-56.CrossRefGoogle Scholar
  32. [32]
    Vaidehi K, Ramamurthy B (2004) Distributed hybrid agent based intrusion detection and real time response system. In: Proceedings of the 1st international conference on broadband networks (BROADNETS'04): 739-741.Google Scholar
  33. [33]
    Verwored T, Hunt R (2002) Intrusion detection techniques and approaches. ComputComm 25: 1356-1365.Google Scholar
  34. [34]
    Wang Y, Hou Z, Zhou X (2006) An incremental and hash-based algorithm for mining frequent episodes. In: Proceedings of the international conference on computational intelligence and security 1: 832-835.Google Scholar
  35. [35]
    WinDump: tcpdump for Windows (2008) Available at http://www.winpcap.org/windump/default.htm.
  36. [36]
    Xie Z, Quirino T, Shyu M, Chen S, Chang L (2006) UNPCC: A novel unsupervised classification scheme for network intrusion detection. In: Proceedings of the 18th IEEE international conference on tools with artificial intelligence (ICTAI'06): 743-750. Washington D.C., USA.Google Scholar
  37. [37]
    Zhang S, Huang Z, Zhang J, Zhu X (2008) Mining follow-up correlation patterns from time-related databases. Knowl Inf Syst 14(1): 81-100.CrossRefGoogle Scholar
  38. [38]
    Zhang S, Zhang J, Zhu X, Huang Z (2006) Identifying follow-correlation itemset-pairs. In: Proceedings of the 6th IEEE international conference on data mining (ICDM06): 765-774.Google Scholar
  39. [39]
    Gao F, Sun J, Wei Z (2003) The prediction role of hidden Markov model in intrusion detection. In: Proceedings of Canadian conference on electrical and computer engineering 2: 893-896.Google Scholar
  40. [40]
    Yin Q, Zhang R, Li X (2004) A new intrusion detection method based on linear prediction. In: Proceedings of the 3rd international conference on information security (InfoSecu04): 160-165.Google Scholar

Copyright information

© Springer-Verlag US 2009

Authors and Affiliations

  1. 1.Department of Electrical and Computer Engineering, University of MiamiCoral GablesUSA
  2. 2.Department of Computer and Electrical Engineering Technology and Information System and TechnologyIndiana University - Purdue University Fort WayneFort WayneUSA

Personalised recommendations