Auto-generation of Detection Rules with Tree Induction Algorithm

  • Minsoo Kim
  • Jae-Hyun Seo
  • Il-Ahn Cheong
  • Bong-Nam Noh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3614)


A generation of rule for detecting an attack from enormous network data is very difficult, and this is commonly required an expert’s experiences. An auto-generation of detection rules cut down on maintenance or management expenses of intrusion detection systems, but the problem is accuracy for the time being. In this paper, we propose an automatic generation method of detection rules with a tree induction algorithm that is adequate to search special rules based on entropy theory. While we progress the experiment on rule generation and detection with extracted information from network session data, we found a problem in selecting measures. To solve the problem, we present a method of converting the continuous measures into categorical measures and a method of choosing a good measure according to the accuracy of the generated detection rules. As the result, the detection rules for each attack are automatically generated without any help of the experts. Also, the correctness of detection improves according to the selection of network measures.


Continuous Measure False Alarm Rate Intrusion Detection Intrusion Detection System Network Measure 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Mahoney, M., Chan, P.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proc. of 8th ACM SIGKDD Int. C. on KDD, vol. 1, pp. 376–385 (2002)Google Scholar
  2. 2.
    Ross Quinlan, J.: C4.5: Programs for Machine Learning. Morgan Kaufmann Pub, San Francisco (1993)Google Scholar
  3. 3.
    Mahoney, M., Chan, P.: Learning Models of Network Traffic for Detecting Novel Attacks. Florida Institute of Tech. TR. CS-2002-08 (2002)Google Scholar
  4. 4.
    Mukkamala, S., Sung, A.: Identifying Significant Features for Network Forensic Analysis using Artificial Intelligent Techniques. Int. J. Digit. Evid 1 (2003)Google Scholar
  5. 5.
    Chris, S., Lyn, P., Sara, M.: An Application of Machine Learning to Network Intrusion Detection. 54th Ann. Computer Security Applications C. 12 (1999)Google Scholar
  6. 6.
    Kamber, H.: Data Mining Concepts and Techniques. Morgan Kaufmann Pub, San Francisco (2001)Google Scholar
  7. 7.
    Yoh-Han, P.: Adaptive Pattern Recognition and Neural Networks. Addison-Wesley, Reading (1989)zbMATHGoogle Scholar
  8. 8.
    Dombi, J., Zsiros, A.: Learning Decision Trees in Continuous Space. Acta Cybernetica 15, 213–224 (2001)zbMATHMathSciNetGoogle Scholar
  9. 9.
    Das, K.: Attack Development for Intrusion Detection Evaluation, vol. 6. MIT Mast. Th., Cambridge (2000)Google Scholar
  10. 10.
    Ostermann, S.: TCPtrace (1994),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Minsoo Kim
    • 1
  • Jae-Hyun Seo
    • 1
  • Il-Ahn Cheong
    • 2
  • Bong-Nam Noh
    • 3
  1. 1.Dept. of Information SecurityMokpo Nat’l Univ.MokpoKorea
  2. 2.Electronics and Telecommunications Research InstituteDaejeonKorea
  3. 3.Div. of Electr-Comp. & Inform-Engin.Chonnam Nat’l Univ.GwangjuKorea

Personalised recommendations