Learning Intrusion Detection: Supervised or Unsupervised?

  • Pavel Laskov
  • Patrick Düssel
  • Christin Schäfer
  • Konrad Rieck
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3617)

Abstract

Application and development of specialized machine learning techniques is gaining increasing attention in the intrusion detection community. A variety of learning techniques proposed for different intrusion detection problems can be roughly classified into two broad categories: supervised (classification) and unsupervised (anomaly detection and clustering). In this contribution we develop an experimental framework for comparative analysis of both kinds of learning techniques. In our framework we cast unsupervised techniques into a special case of classification, for which training and model selection can be performed by means of ROC analysis. We then investigate both kinds of learning techniques with respect to their detection accuracy and ability to detect unknown attacks.

Keywords

Support Vector Machine Intrusion Detection Anomaly Detection Intrusion Detection System Unlabeled Data 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Bace, R., Mell, P.: NIST special publication on intrusion detection systems. National Institute of Standards and Technology (2001)Google Scholar
  2. 2.
    Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proc. ACM CSS Workshop on Data Mining Applied to Security (2001)Google Scholar
  3. 3.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)Google Scholar
  4. 4.
    Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proc. SIAM Conf. Data Mining (2003)Google Scholar
  5. 5.
    Laskov, P., Schäfer, C., Kotenko, I.: Intrusion detection in unlabeled data with quarter-sphere support vector machines. In: Proc. DIMVA, pp. 71–82 (2004)Google Scholar
  6. 6.
    Laskov, P., Schäfer, C., Kotenko, I., Müller, K.R.: Intrusion detection in unlabeled data with quarter-sphere support vector machines (extended version). Praxis der Informationsverarbeitung und Kommunikation 27, 228–236 (2004)CrossRefGoogle Scholar
  7. 7.
    Ghosh, A.K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proc. of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, USA, pp. 51–62 (1999), http://www.cigital.com/papers/download/usenix_id99.pdf
  8. 8.
    Warrender, C., Forrest, S., Perlmutter, B.: Detecting intrusions using system calls: alternative data methods. In: Proc. IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
  9. 9.
    Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of IEEE Internation Joint Conference on Neural Networks, pp. 1702–1707 (2002)Google Scholar
  10. 10.
    Lee, W., Stolfo, S., Mok, K.: A data mining framework for building intrusion detection models. In: Proc. IEEE Symposium on Security and Privacy, pp. 120–132 (1999)Google Scholar
  11. 11.
    Stolfo, S.J., Wei, F., Lee, W., Prodromidis, A., Chan, P.K.: KDD Cup - knowledge discovery and data mining competition (1999), http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
  12. 12.
    Lippmann, R., Cunningham, R.K., Fried, D.J., Kendall, K.R., Webster, S.E., Zissman, M.A.: Results of the DARPA 1998 offline intrusion detection evaluation. In: Proc. RAID 1999 (1999), http://www.ll.mit.edu/IST/ideval/pubs/1999/RAID_1999a.pdf
  13. 13.
    Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000)CrossRefGoogle Scholar
  14. 14.
    Lee, W., Stolfo, S.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3, 227–261 (2001)CrossRefGoogle Scholar
  15. 15.
    Quinlan, J.: C4.5: Programs for Machine Learning. Morgan Kaufmann, San Francisco (1992)Google Scholar
  16. 16.
    Duda, R., Hart, P.E., Stork, D.G.: Pattern classification, 2nd edn. John Wiley & Sons, Chichester (2001)MATHGoogle Scholar
  17. 17.
    Rojas, R.: Neural Networks: A Systematic Approach. Springer, Berlin (1996)MATHGoogle Scholar
  18. 18.
    Friedman, J.: Regularized discriminant analysis. Journal of the American Statistical Association 84, 165–175 (1989)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Schölkopf, B., Smola, A.: Learning with Kernels. MIT Press, Cambridge (2002)Google Scholar
  20. 20.
    Harmeling, S., Dornhege, G., Tax, D., Meinecke, F., Müller, K.R.: From outliers to prototypes: ordering data. Unpublished manuscript (2004) (submitted), http://ida.first.fhg.de/~harmeli/ordering.pdf

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Pavel Laskov
    • 1
  • Patrick Düssel
    • 1
  • Christin Schäfer
    • 1
  • Konrad Rieck
    • 1
  1. 1.Fraunhofer-FIRST.IDABerlinGermany

Personalised recommendations