• Publications
  • Influence
Anomalous Payload-Based Network Intrusion Detection
TLDR
We present a payload-based anomaly detector, we call PAYL, for intrusion detection. Expand
  • 871
  • 107
  • PDF
The merge/purge problem for large databases
TLDR
We show the sorted neighborhood method that is used by some to solve merge/purge and present experimental results that demonstrates this approach may work well in practice but at great expense. Expand
  • 945
  • 80
  • PDF
A data mining framework for building intrusion detection models
TLDR
We describe a data mining framework for adaptively building Intrusion Detection (ID) models. Expand
  • 1,291
  • 66
  • PDF
Data mining methods for detection of new malicious executables
TLDR
We present a data mining framework that detects new, previously unseen malicious executables accurately and automatically. Expand
  • 912
  • 66
  • PDF
A framework for constructing features and models for intrusion detection systems
TLDR
We propose a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion Detection, which uses data mining algorithms to compute activity patterns from system audit data and extracts predictive features from the patterns. Expand
  • 1,020
  • 59
  • PDF
Real-world Data is Dirty: Data Cleansing and The Merge/Purge Problem
TLDR
The problem of merging multiple databases of information about common entities is frequently encountered in KDD and decision support applications in large commercial and government organizations. Expand
  • 887
  • 57
  • PDF
Data Mining Approaches for Intrusion Detection
TLDR
We use data mining techniques to discover consistent and useful patterns of system features, and use the set of relevant system features to compute (inductively learned) classifiers that can recognize anomalies and known intrusions. Expand
  • 1,393
  • 54
  • PDF
AdaCost: Misclassification Cost-Sensitive Boosting
TLDR
AdaCost, a variant of AdaBoost, is a misclassification cost-sensitive boosting method. Expand
  • 573
  • 47
  • PDF
On the feasibility of online malware detection with performance counters
The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware,Expand
  • 262
  • 45
  • PDF
Anagram: A Content Anomaly Detector Resistant to Mimicry Attack
TLDR
We present Anagram, a content anomaly detector that models a mixture ofhigh-order n-grams (n > 1) designed to detect anomalous and “suspicious” network packet payloads. Expand
  • 326
  • 36
  • PDF