In recent years, pervasive computing infrastructures have greatly improved the interaction between human and system. As we put more reliance on these computing infrastructures, we also face threats of network intrusion and/or any new forms of undesirable IT-based activities. Hence, network security has become an extremely important issue, which is closely connected with homeland security, business transactions, and people's daily life. Accurate and efficient intrusion detection technologies are required to safeguard the network systems and the critical information transmitted in the network systems. In this chapter, a novel network intrusion detection framework for mining and detecting sequential intrusion patterns is proposed. The proposed framework consists of a Collateral Representative Subspace Projection Modeling (C-RSPM) component for supervised classification, and an inter-transactional association rule mining method based on Layer Divided Modeling (LDM) for temporal pattern analysis. Experiments on the KDD99 data set and the traffic data set generated by a private LAN testbed show promising results with high detection rates, low processing time, and low false alarm rates in mining and detecting sequential intrusion detections.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Reference
Agrawal R, Swami A (1993) Mining association rules between sets of items in large data-bases. In: Proceedings of the ACM SIGMOD conference on management of data: 207-216.
Alam M.S, Vuong S.T (2007) APHIDS++: A mobile agent based intrusion detection system. In: Proceedings of the 2nd international conference on communication systems software and middleware: 1-6. doi: 10.1109/COMSW A.2007.382483.
Anderson D, Frivold T, Anderson A (1995) Next-generation intrusion detection expert system (NIDES): A summary. In: SRI international technical report 95: 28-42. Menlo Park, CA.
Basicevic F, Popovic M, Kovacevic V (2005) The use of distributed network-based IDS systems in detection of evasion attacks. In: Proceedings of the advanced industrial conference on telecommunications/service assurance with partial and intermittent resources conference/e-learning on telecommunications workshop. AICT/SAPIR/ELETE: 78-82.
Boonjing V, Songram P (2007) Efficient algorithms for mining closed multidimensional sequential patterns. In: Proceedings of the 4th international conference on fuzzy systems and knowledge discovery 2: 749-753.
Ertoz L, Eilertson E, Lazarevic A, Tan P, Srevastava J, Kumar V, Dokas P (2004) The MINDS — Minnesota intrusion detection system. Next generation data mining. MIT Press, Cambridge, MA.
Esparza O, Soriano M, Munoz J.L, Forne J (2003) A protocol for detecting malicious hosts based on limiting the execution time of mobile agents. In: Proceedings of the 8th IEEE international symposium on computers and communication: 251-256.
Han B (2003) Support vector machines. http://www.ist.temple.edu/∼vucetic/cis526fall2003/lecture8.doc.
Han J, Gong W, Yin Y (1998) Mining segment-wise periodic patterns in time-related databases. In: Proceedings of the international conference on knowledge discovery and data mining: 214-218.
Han J, Lu H, Feng L (1998) Stock movement prediction and n-dimensional intertransaction association rules. In: Proceedings of the 1998 SIGMOD workshop research issues on data mining and knowledge discovery 12: 1-7.
Han J, Pei J, Yin Y (2000) Mining frequent patterns without candidate generation. In: Proceedings of the ACM SIGMOD international conference on management of data (SIGMOD'00): 1-12.
Helmer G, Wong J, HONAVAR V, MILLER L, WANG Y (2003) Lightweight agents for intrusion detection. J Syst Softw 67: 109-122.
Hochberg J, Jackson K, Stallings C, Mcclary J, Dubois D, Ford J (1993) NADIR: An automated system for detecting network intrusions and misuse. Comput Secur 12: 235-248.
Huang K, Chang C, Lin K (2004) Prowl: An efficient frequent continuity mining algorithm on event sequences. In: Proceedings of the 6th international conference on data warehousing and knowledge discovery (DaWak'04), Lecture Notes in Computer Science 3181: 351-360.
Kannadiga P, Zulkernine M (2005) DIDMA: A distributed intrusion detection system using mobile agents. In: Proceedings of the 6th international conference on software engineering, artificial intelligence, networking and parallel and distributed computing. 238-245.
KDD (1999) KDD cup 1999 data. http://kdd.ics.uci.edu/databases/kddcup99/.
Labib K, Vemuri V (2004) Detecting and visualizing Denial-of-Service and network probe attacks using principal component analysis. In: The 3rd conference on security and network architectures (SAR'04). La Londe, France.
Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the third SIAM conference on data mining. San Francisco, CA.
Lee W, Stolfo S (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inform Syst Secur 3: 227-261.
Ozden B, Ramaswamy S, Silberschatz A (1998) Cyclic association rules. In: Proceedings of the 14th international conference on data engineering: 412-421.
Paek S, Oh Y, Yun J, Lee D (2006) The architecture of host-based intrusion detection model generation system for the frequency per system call. In: Proceedings of the international conference on hybrid information technology (ICHIT'06) 2: 277-283.
Quinlan J (1993) C4.5: Programs for machine learning. Morgan Kaufmann, San Fracisco, CA.
Quirino T, Xie Z, Shyu M, Chen S, Chang L (2006) Collateral representative subspace projection modeling for supervised classification. In: Proceedings of the 18th IEEE international conference on tools with artificial intelligence (ICTAI'06): 98-105.
Ramakrishnan V, Kumar R.A, John S (2007) Intrusion detection using protocol-based non-conformance to trusted behaviors. In: Proceedings of navigation and surveillance conference (ICNS '07): 1-12.
Ray P (2007) Host based intrusion detection architecture for mobile ad hoc networks. In: Proceedings of the 9th international conference on advanced communication technology 3: 1942-1946.
Shyu M, Quirino T, Xie Z, Chen S, Chang L (2007) Network intrusion detection through adaptive sub-eigenspace modeling in multiagent systems. ACM Transactions on Autonomous and Adaptive Systems 2(3): 1-37.
Snapp S, Bretano J, Dias G, Goan T, Hebrlein L, Ho C, Levitt K, Mukherjee B, Smaha S,Grance T, Teal D, Mansur D (1991) DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype. In: Proceedings of the 14th national computer science conference. Washington D.C.: 167-176.
TCPTRACE (2008) Available at http://www.tcptrace.org/.
Tou J, Gonzalez R (1974) Pattern recognition principles. Addison-Wesley, MA.
Tsai M, Lin S, Tseng S (2003) Protocol based foresight anomaly intrusion detection system. In: Proceedings of IEEE the 37th annual 2003 international carnahan conference: 493-500.
Tung A, Lu H, Han J, Feng L (2003) Efficient mining of intertransaction association rules. IEEE transactions on knowledge and data engineering 15(1): 43-56.
Vaidehi K, Ramamurthy B (2004) Distributed hybrid agent based intrusion detection and real time response system. In: Proceedings of the 1st international conference on broadband networks (BROADNETS'04): 739-741.
Verwored T, Hunt R (2002) Intrusion detection techniques and approaches. ComputComm 25: 1356-1365.
Wang Y, Hou Z, Zhou X (2006) An incremental and hash-based algorithm for mining frequent episodes. In: Proceedings of the international conference on computational intelligence and security 1: 832-835.
WinDump: tcpdump for Windows (2008) Available at http://www.winpcap.org/windump/default.htm.
Xie Z, Quirino T, Shyu M, Chen S, Chang L (2006) UNPCC: A novel unsupervised classification scheme for network intrusion detection. In: Proceedings of the 18th IEEE international conference on tools with artificial intelligence (ICTAI'06): 743-750. Washington D.C., USA.
Zhang S, Huang Z, Zhang J, Zhu X (2008) Mining follow-up correlation patterns from time-related databases. Knowl Inf Syst 14(1): 81-100.
Zhang S, Zhang J, Zhu X, Huang Z (2006) Identifying follow-correlation itemset-pairs. In: Proceedings of the 6th IEEE international conference on data mining (ICDM06): 765-774.
Gao F, Sun J, Wei Z (2003) The prediction role of hidden Markov model in intrusion detection. In: Proceedings of Canadian conference on electrical and computer engineering 2: 893-896.
Yin Q, Zhang R, Li X (2004) A new intrusion detection method based on linear prediction. In: Proceedings of the 3rd international conference on information security (InfoSecu04): 160-165.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2009 Springer-Verlag US
About this chapter
Cite this chapter
Shyu, ML., Huang, Z., Luo, H. (2009). Efficient Mining and Detection of Sequential Intrusion Patterns for Network Intrusion Detection Systems. In: Machine Learning in Cyber Trust. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88735-7_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-88735-7_6
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-88734-0
Online ISBN: 978-0-387-88735-7
eBook Packages: Computer ScienceComputer Science (R0)