Advertisement

REAL TIME DETECTION OF NOVEL ATTACKS BY MEANS OF DATA MINING TECHNIQUES

  • Marcello Esposito
  • Claudio Mazzariello
  • Francesco Oliviero
  • Simon Pietro Romano
  • Carlo Sansone

Abstract

Rule-based Intrusion Detection Systems (IDS) rely on a set of rules to discover attacks in network traffic. Such rules are usually hand-coded by a security administrator and statically detect one or few attack types: minor modifications of an attack may result in detection failures. For that reason, signature based classification is not the best technique to detect novel or slightly modified attacks. In this paper we approach this problem by extracting a set of features from network traffic and computing rules which are able to classify such traffic. Such techniques are usually employed in off line analysis, as they are very slow and resource-consuming. We want to assess the feasibility of a detection technique which combines the use of a common signature-based intrusion detection system and the deployment of a data mining technique. We will introduce the problem, describe the developed architecture and show some experimental results to demonstrate the usability of such a system.

Keywords

Intrusion Detection Intrusion Detection System Data Mining Technique Packet Loss Ratio Data Mining Process 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. (2004). Operation Experience with High-Volume Network Intrusion Detection. ACM.Google Scholar
  2. Andersson, D. (1995). Detecting usual program behavior using the statistical component of the next-generation intrusion detection expert system (nides). Technical report, Computer Science Laboratory.Google Scholar
  3. Bace, R. G. (2000). Intrusion Detection. Macmillan Technical Publishing.Google Scholar
  4. Baker, A. R., Caswell, B., and Poor, M. (2004). Snort 2.1 Intrusion Detection-Second Edition. Syngress.Google Scholar
  5. Barbara, D., Couto, J., Jajodia, S., Popyack, L., and Wu, N. (2001). Adam: Detecting intrusion by data mining. pages 11–16. IEEE. Workshop on Information Assurance and Security.Google Scholar
  6. Cohen, W. W. and Singer, Y. (1999). A simple, fast, and effective rule learner.Google Scholar
  7. Elkan, C. (2000). Results of the kdd99 classifier learning. In SIGKDD Explorations, volume 1, pages 63–64. ACM.CrossRefGoogle Scholar
  8. Fayyad, U., Piatetsky-Shapiro, G., and Smyth, P. (1996). From data mining to knowledge discovery in databases. AI Magazine, pages 37–52.Google Scholar
  9. Laing, B. and Alderson, J. (2000). How to guide-implementing a network based intrusion detection system. Technical report, Internet Security Systems, Sovereign House, 57/59 Vaster Road, Reading.Google Scholar
  10. Lee, W. and Stolfo, S. J. (2000). A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC), 3(4):227–261.CrossRefGoogle Scholar
  11. Paxson, V. and Terney, B. (2004). Bro reference manual.Google Scholar
  12. Sleator, D. and Tarjan, R. (1985). Self Adjusting Binary Search Trees. Journal of the ACM, 32(3).Google Scholar
  13. Tyson, M. (2000). Derbi: Diagnosys explanation and recovery from computer break-ins. Technical report.Google Scholar
  14. Vigna, G. and Kemmerer, R. (1999). Netstat: a network based intrusion detection system. Journal of Computer Security, 7(1).Google Scholar

Copyright information

© Springer 2007

Authors and Affiliations

  • Marcello Esposito
    • 1
  • Claudio Mazzariello
    • 1
  • Francesco Oliviero
    • 1
  • Simon Pietro Romano
    • 1
  • Carlo Sansone
    • 1
  1. 1.Dipartimento di Informatica e SistemisticaUniversità degli Studi di Napoli “Federico II” NapoliItaly

Personalised recommendations