A framework for constructing features and models for intrusion detection systems

  title={A framework for constructing features and models for intrusion detection systems},
  author={Wenke Lee and S. Stolfo},
  journal={ACM Trans. Inf. Syst. Secur.},
Intrusion detection (ID) is an important component of infrastructure protection mechanisms. Intrusion detection systems (IDSs) need to be accurate, adaptive, and extensible. Given these requirements and the complexities of today's network environments, we need a more systematic and automated IDS development process rather that the pure knowledge encoding and engineering approaches. This article describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion… 

Adaptive Model Generation

Adaptive Model Generation (AMG) is presented, a real time architecture for implementing data mining-based intrusion detection systems by automating the collection of data, the generation and deployment of detection models, and the real-time evaluation of data.

Applying data mining to intrusion detection: the quest for automation, efficiency, and credibility

A framework for mining patterns from system and network audit data, and constructing features according to analysis of intrusion patterns is described, and approaches for improving the run-time efficiency as well as the credibility of detection models are discussed.

Engineering Knowledge Discovery in Network Intrusion Detection

A framework that models the ID process as a set of cooperative tasks each supporting a specialized activity that works well in capturing patterns of intrusion while the availability of an integrated software environment allows a high level of modularity in performing each task.

A case-based framework for meta intrusion detection

A novel case-based reasoning framework for meta intrusion detection, including its rationale, design, implementation, and evaluation is described, including a new case-oriented approach to alert correlation which does not require the presence of session information.

Real time data mining-based intrusion detection

An overview of the research in real time data mining-based intrusion detection systems (IDS) and an architecture consisting of sensors, detectors, a data warehouse, and model generation components is presented that improves the efficiency and scalability of the IDS.

Anomaly intrusion detection model using data mining techniques

This research focuses on the various data mining techniques for anomaly based intrusion detection system using unsupervised anomaly detection schemes on the DARPA’98 data sets and real network traffic to identify accuracy in detecting the different types of network intrusions.

An Overview of Database Centred Intrusion Detection Systems

An overview of database centered intrusion detection systems is given, as it enables the IDS to discover patterns of intrusions and define valid bounds of network traffic.

An intrusion detection approach based on data mining

The reduction algorithm is presented to cancel the redundant attribute set and obtain the optimal attribute set to form the input of the FCM, which improves the performance of intrusion detection since the traffic is large and the types of attack are various.


This paper proposes machine learning algorithms such as Random Forest and AdaBoost, along with Naive Bayes, to build an efficient intrusion detection model and shows that the choice of any data mining algorithm is a compromise among the time taken to build the model, detection rate and low false alarm rate.

An Intrusion Detection System Based on Multiple Level Hybrid Classifier using Enhanced C4.5

  • L. RajeswariA. Kannan
  • Computer Science
    2008 International Conference on Signal Processing, Communications and Networking
  • 2008
A multiple level hybrid classifier for an intrusion detection system that uses a combination of tree classifiers which uses Enhanced C4.5 which rely on labeled training data and an Enhanced Fast Heuristic Clustering Algorithm for mixed data (EFHCAM).

A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems

This thesis describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Intrusion Detection, and devise an algorithm that automatically constructs temporal and statistical features according to the semantics of the patterns.

A data mining framework for building intrusion detection models

  • Wenke LeeS. StolfoK. Mok
  • Computer Science
    Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
  • 1999
A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.

Data Mining Approaches for Intrusion Detection

An agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents is proposed.

Network intrusion detection

Host-based and network-based IDSs are surveyed, and the characteristics of the corresponding systems are identified and an outline of a statistical anomaly detection algorithm employed in a typical IDS is included.

Mining in a data-flow environment: experience in network intrusion detection

It is shown that in order to minimize the time required in using the classification models in a real-time environment, the “necessary conditions” associated with the lowcost features can be exploited to determine whether some high-cost features need to be computed and the corresponding classification rules need to been checked.

A Software Architecture to Support Misuse Intrusion Detection

This paper presents a software architecture for structuring a pattern matching solution to misuse intrusion detection based on Colored Petri Nets, and describes the abstract classes encapsulating generic functionality and the inter-relationships between the classes.

A Study in Using Neural Networks for Anomaly and Misuse Detection

New process-based intrusion detection approaches are described that provide the ability to generalize from previously observed behavior to recognize future unseen behavior and can be used for both anomaly detection and misuse detection.

State of the Practice of Intrusion Detection Technologies

A goal of this report is to provide an unbiased assessment of publicly available ID technology and it is hoped this will help those who purchase and use ID technology to gain a realistic understanding of its capabilities and limitations.

Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation

An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100's of users on 1000's of hosts and the best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users.

USTAT: a real-time intrusion detection system for UNIX

  • Koral Ilgun
  • Computer Science
    Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy
  • 1993
The author presents the design and implementation of a real-time intrusion detection tool, called USTAT, a state transition analysis tool for UNIX, which makes use of the audit trails that are collected by the C2 basic security module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration.