Open Access  Subscription or Fee Access

In this paper, we focus on issues related to deploying a data mining-based IDS in a real time environment. We describe our approaches to address three types of issues: accuracy, efficiency, and usability. To improve accuracy, data mining programs are used to analyze audit data and extract features that can distinguish normal activities from intrusions; we use artificial anomalies along with normal and/or intrusion data to produce more effective misuse and anomaly detection models. To improve efficiency, the computational costs of features are analyzed and a multiple-model cost based approach is used to produce detection models with low cost and high accuracy. We also present a distributed architecture for evaluating cost-sensitive models in real time. To improve usability, adaptive learning algorithms are used to facilitate model construction and incremental updates; unsupervised anomaly detection algorithms are used to reduce the reliance on labeled data. We also present an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. This architecture also improves the efficiency and scalability of the IDS.

data mining-based IDS,known attacks and normal behavior,accuracy (i.e., detection performance), efficiency and usability. Typically, data mining-based IDSs (especially anomaly detection systems)

V. Barnett and T. Lewis. Outliers in Statistical Data. John Wiley and Sons, 1994.

P. Chan, W. Fan, A. Prodromidis, and S. Stolfo. Distributed data mining in credit card fraud detection. IEEE Intelligent Systems, pages 67–74, Nov/Dec 1999.

W. W. Cohen. Fast effective rule induction. In MachineLearning: the 12th International Conference, Lake Taho, CA, 1995. Morgan Kaufmann.

J. P. Egan. Signal detection theory and roc analysis. In Series in Cognition and Perception. Academic Press, New York, 1975.

E. Eskin. Anomaly detection over noisy data using learned probability distributions. In Proceedings of the Seventeenth International Conference on Machine Learning (ICML- 2000), 2000.

E. Eskin, M. Miller, Z.-D. Zhong, G. Yi, W.-A. Lee, and S. Stolfo. Adaptive model generation for intrusion detection. In Proceedings of the ACMCCS Workshop on Intrusion Detection and Prevention, Athens, Greece, 2000.

W. Fan. Cost-senstive, Scalable and Adaptive Learning Using Ensemble-based Methods. PhD thesis, Columbia University, Feb 2001.

W. Fan, W. Lee, S. Stolfo, and M. Miller. A multiple model approach for cost-sensitive intrusion detection. In Proc. 2000 European Conference on Machine Learning, Barcelona, Spain, May 2000.

T. Fawcett and F. Provost. Adaptive fraud detection. Data Mining and Knowledge Discovery, 1:291–316, 1997.

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes. In In 1996 IEEE Symposium on Security and Privacy, pages 120–128. IEEE Computer Society, 1996.

A. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In Proceedings of the Eighth USENIX Security Symposium, 1999.

P. Helman and J. Bhangoo. A stiatistically base system for prioritizing information exploration under uncertainty. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, 27(4):449–466, 1997.

S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detect using sequences of system calls. Journal of Computer Security, 6:151–180, 1998.

Internet Engineering Task Force. Intrusion detection exchange format. In http://www.ietf.org/html.charters/idwgcharter. html, 2000.

H. S. Javitz and A. Valdes. The nides statistical component: description and justification. In Technical Report, Computer Science Labratory, SRI International, 1993.

T. Lane and C. E. Brodley. Sequence matching and learning in anomaly detection for computer security. In Proceedings of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management, pages 43–49. Menlo Park, CA: AAAI Press, 1997.

T. Lane and C. E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In Proceedings of the Fifth ACM Conference on Computer and Communications Security, pages 150–158, 1998.

T. Lane and C. E. Brodley. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security, 2:295–331, 1999.

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

W. Lee, R. Nimbalkar, K. Yee, S. Patil, P. Desai, T. Tran, and S. J. Stolfo. A data mining and CIDF based approach for detecting novel and distributed intrusions. In Proceedings of the 3rd International Workshop on Recent Advances in Intrusion Detection (RAID 2000), October 2000. to appear.

W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In In Proceedings of the 1998 USENIX Security Symposium, 1998.

W. Lee, S. J. Stolfo, and P. K. Chan. Learning patterns from unix processes execution traces for intrusion detection. In In AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pages 50–56. AAAI Press, 1997.

W. Lee, S. J. Stolfo, and K. Mok. Data mining in work flow environments: Experiences in intrusion detection. In Proceedings of the 1999 Conference on Knowledge Discovery and Data Mining (KDD-99), 1999.

W. Lee, S. J. Stolfo, and K.W. Mok. Algorithms for mining audit data. In T. Y. Lin, editor, Granular Computing and Data Mining. Springer-Verlag, 2000. to appear.

R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunninghan, and M. Zissman. Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, January 2000.