A framework for constructing features and models for intrusion detection systems

@article{Lee2000AFF,
  title={A framework for constructing features and models for intrusion detection systems},
  author={Wenke Lee and S. Stolfo},
  journal={ACM Trans. Inf. Syst. Secur.},
  year={2000},
  volume={3},
  pages={227-261}
}
Intrusion detection (ID) is an important component of infrastructure protection mechanisms. Intrusion detection systems (IDSs) need to be accurate, adaptive, and extensible. Given these requirements and the complexities of today's network environments, we need a more systematic and automated IDS development process rather that the pure knowledge encoding and engineering approaches. This article describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion… Expand
Adaptive Model Generation
TLDR
Adaptive Model Generation (AMG) is presented, a real time architecture for implementing data mining-based intrusion detection systems by automating the collection of data, the generation and deployment of detection models, and the real-time evaluation of data. Expand
Applying data mining to intrusion detection: the quest for automation, efficiency, and credibility
TLDR
A framework for mining patterns from system and network audit data, and constructing features according to analysis of intrusion patterns is described, and approaches for improving the run-time efficiency as well as the credibility of detection models are discussed. Expand
Engineering Knowledge Discovery in Network Intrusion Detection
TLDR
A framework that models the ID process as a set of cooperative tasks each supporting a specialized activity that works well in capturing patterns of intrusion while the availability of an integrated software environment allows a high level of modularity in performing each task. Expand
A case-based framework for meta intrusion detection
TLDR
A novel case-based reasoning framework for meta intrusion detection, including its rationale, design, implementation, and evaluation is described, including a new case-oriented approach to alert correlation which does not require the presence of session information. Expand
Real time data mining-based intrusion detection
TLDR
An overview of the research in real time data mining-based intrusion detection systems (IDS) and an architecture consisting of sensors, detectors, a data warehouse, and model generation components is presented that improves the efficiency and scalability of the IDS. Expand
Anomaly intrusion detection model using data mining techniques
TLDR
This research focuses on the various data mining techniques for anomaly based intrusion detection system using unsupervised anomaly detection schemes on the DARPA’98 data sets and real network traffic to identify accuracy in detecting the different types of network intrusions. Expand
An Overview of Database Centred Intrusion Detection Systems
Intrusion detection systems have become a major component of network security infrastructures. Modern day intrusion detection systems are to be reliable, extensible, adaptive to the flow of networkExpand
An intrusion detection approach based on data mining
TLDR
The reduction algorithm is presented to cancel the redundant attribute set and obtain the optimal attribute set to form the input of the FCM, which improves the performance of intrusion detection since the traffic is large and the types of attack are various. Expand
EVALUATING MACHINE LEARNING ALGORITHMS FOR DETECTING NETWORK INTRUSIONS
TLDR
This paper proposes machine learning algorithms such as Random Forest and AdaBoost, along with Naive Bayes, to build an efficient intrusion detection model and shows that the choice of any data mining algorithm is a compromise among the time taken to build the model, detection rate and low false alarm rate. Expand
An Intrusion Detection System Based on Multiple Level Hybrid Classifier using Enhanced C4.5
  • L. Rajeswari, A. Kannan
  • Computer Science
  • 2008 International Conference on Signal Processing, Communications and Networking
  • 2008
TLDR
A multiple level hybrid classifier for an intrusion detection system that uses a combination of tree classifiers which uses Enhanced C4.5 which rely on labeled training data and an Enhanced Fast Heuristic Clustering Algorithm for mixed data (EFHCAM). Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 55 REFERENCES
A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems
TLDR
This thesis describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Intrusion Detection, and devise an algorithm that automatically constructs temporal and statistical features according to the semantics of the patterns. Expand
A data mining framework for building intrusion detection models
  • Wenke Lee, S. Stolfo, K. Mok
  • Computer Science
  • Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
  • 1999
TLDR
A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. Expand
Data Mining Approaches for Intrusion Detection
TLDR
An agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents is proposed. Expand
Network intrusion detection
TLDR
Host-based and network-based IDSs are surveyed, and the characteristics of the corresponding systems are identified and an outline of a statistical anomaly detection algorithm employed in a typical IDS is included. Expand
Mining in a data-flow environment: experience in network intrusion detection
TLDR
It is shown that in order to minimize the time required in using the classification models in a real-time environment, the “necessary conditions” associated with the lowcost features can be exploited to determine whether some high-cost features need to be computed and the corresponding classification rules need to been checked. Expand
A Software Architecture to Support Misuse Intrusion Detection
TLDR
This paper presents a software architecture for structuring a pattern matching solution to misuse intrusion detection based on Colored Petri Nets, and describes the abstract classes encapsulating generic functionality and the inter-relationships between the classes. Expand
A Study in Using Neural Networks for Anomaly and Misuse Detection
TLDR
New process-based intrusion detection approaches are described that provide the ability to generalize from previously observed behavior to recognize future unseen behavior and can be used for both anomaly detection and misuse detection. Expand
State of the Practice of Intrusion Detection Technologies
Abstract : Attacks on the nation's computer infrastructures are a serious problem. Over the past 12 years, the growing number of computer security incidents on the Internet has reflected the growthExpand
Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation
TLDR
An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100's of users on 1000's of hosts and the best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users. Expand
USTAT: a real-time intrusion detection system for UNIX
  • Koral Ilgun
  • Computer Science
  • Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy
  • 1993
TLDR
The author presents the design and implementation of a real-time intrusion detection tool, called USTAT, a state transition analysis tool for UNIX, which makes use of the audit trails that are collected by the C2 basic security module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration. Expand
...
1
2
3
4
5
...