Open Access  Subscription or Fee Access

This paper explores the design principles of an advanced intrusion detection system (AIDS) with the prevention from the generated attacks. This advanced system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of anomaly detection system (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, we build ADS that detects anomalies beyond the capabilities of signature-based systems. A weighted signature generation rule based mining scheme is developed to integrate ADS with signature based system by extracting signatures from anomalies detected. AIDS extracts signatures from the output of ADS and adds them into the signature database for fast and accurate intrusion detection. After this prevention phase of the system is developed using different prevention policy options to the network administrator to avoid further possible network attacks and to prevent it before massive damage. By using new scheme, definitely the detection rate is more compared with 30 percent and 22 percent in using the SNORT and Bro systems, respectively. This increase in detection rate will be obtained with fewer false alarms. The signatures generated by ADS upgrade the SNORT performance by giving options to administrator to set the rule attributes through provided user interface of the system. The AIDS approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet. The prevention phase provides the flexibility in the intrusion system updating so that it reduces burden from the network administrator to reconfigure the intrusion detection system for the detected attacks.

Anomaly Detection, Data Mining, False Alarms, Internet episodes, Prevention, Signature Detection.

D. Barbara, J. Couto, S. Jajodia, L. Popyack, and N. Wu, “ADAM: Detecting Intrusions by Data Mining,” Proc. IEEE Workshop Information Assurance and Security, 2001.

D.J. Burroughs, L.F. Wilson, and G.V. Cybenko, “Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods Performance,” Proc. IEEE Int’l Computing and Comm. Conf., pp. 329-334, 2002.

M. Cai, K. Hwang, J. Pan, and C. Papadopoulos, “WormShield: Fast Worm Signature Generation Using Distributed Fingerprint Aggregation,” IEEE Trans. Dependable and Secure Computing, 2007.

B. Casewell and J. Beale, SNORT 2.1, Intrusion Detection, second ed. Syngress, May 2004.

W. Cohen, “Fast Effective Rule Induction,” Proc. 12th Int’l Conf. Machine Learning. 1995.

F. Cuppens and A. Miege, “Alert Correlation in a Cooperative Intrusion Detection Framework,” Proc. 2002 IEEE Symp. Security and Privacy, pp. 187-200, 2002.

L. Ertoz, E. Eilertson, A. Lazarevic, P. Tan, J. Srivastava, V. Kumar, and P. Dokas, “The MINDS—Minnesota Intrusion Detection System,” Next Generation Data Mining, MIT Press, 2004.

E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, “A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data,” Applications of Data Mining in Computer Security, Kluwer Academic Publishers, 2002.

M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, “A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise,” Proc. Second Int’l Conf. Knowledge Discovery and Data Mining, 1996.

W. Fan, M. Miller, S. Stolfo, W. Lee, and P. Chan, “Using Artificial Anomalies to Detect Unknown and Known Network Intrusions,” Proc. First IEEE Int’l Conf. Data Mining, Nov. 2001.

U.M. Fayyad and K.B. Irani, “Multi-Interval Discretization of Continuous-Valued Attributes from Classification Learning,” Proc. Int’l Joint Conf. Artificial Intelligence (IJCAI ’93), pp. 1022- 1027, 1993.

S. Floyd and V. Paxson, “Difficulties in Simulating the Internet,” IEEE/ACM Trans. Networking, vol. 9, no. 4, pp. 392-403, Aug. 2001.

K. Hwang, Y. Chen, and H. Liu, “Defending Distributed Computing Systems from Malicious Intrusions and Network Anomalies,” Proc. IEEE Workshop Security in Systems and Networks (SSN ’05) held with the IEEE Int’l Parallel & Distributed Processing Symp., 2005.

K. Hwang, Y. Kwok, S. Song, M. Cai, Y. Chen, and Y. Chen, “DHT-Based Security Infrastructure for Trusted Internet and Grid Computing,” Int’l J. Critical Infrastructures, vol. 2, no. 4, pp. 412- 433, Dec. 2006.

Kaleton Internet, “Combination of Misuse and Anomaly Intrusion Detection Systems,” Available: http://www.kaleton.com.

K.S. Killourhy and R.A. Maxion, “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits,” Proc.Int’l Symp. Recent Advances in Intrusion Detection (RAID ’02), pp. 54-73, Sept. 2002.

A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava, “A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection,” Proc. Third SIAM Conf. Data Mining, 2003, Available: http://www.users.cs.umn.edu/~kumar/papers.

W. Lee, S.J. Stolfo, and K. Mok, “Adaptive Intrusion Detection: A Data Mining Approach,” Artificial Intelligence Rev., vol. 14, no. 6, pp. 533-567, Kluwer Academic Publishers, Dec. 2000.

W. Lee and S. Stolfo, “A Framework for Constructing Features and Models for Intrusion Detection Systems,” ACM Trans.Information and System Security (TISSec), 2000.

R.P. Lippmann and J. Haines, “Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation,” Proc. Third Int’l Workshop Recent Advances in Intrusion Detection (RAID ’00), H. Debar, L. Me, and S.F. Wu, eds., pp. 162-182, 2000.

M.V. Mahoney and P.K. Chan, “An Analysis of the 1999 DARPA/ Lincoln Lab Evaluation Data for Network Anomaly Detection,” Proc. Int’l Symp. Recent Advances in Intrusion Detection, pp. 220-237, Sept. 2003.

H. Mannila and H. Toivonen, “Discovering Generalized Episodes Using Minimal Occurrences,” Proc. Second Int’l Conf. Knowledge Discovery and Data Mining, Aug. 1996.

J. McHugh, “Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory,” ACM Trans. Information and System Security, vol. 3, no. 4, Nov. 2000.

P. Ning, S. Jajodia, and X.S. Wang, “Abstraction-Based Intrusion Detection in Distributed Environments,” ACM Trans. Information and System Security, vol. 4, no. 4, pp. 407-452, Nov. 2001.

S. Noel, D. Wijesekera, and C. Youman, “Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt,” Applications of Data Mining in Computer Security, D. Barbara` and S. Jajodia, eds., Kluwer Academic Publishers, 2002.

V. Paxson, “Bro: A System for Detecting Network Intrusions in Real Time,” Proc. Seventh USENIX Security Symp., 1998.

P.A. Porras and P.G. Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances,” Proc. 19th Nat’l Computer Security Conf., pp. 353-365, Oct. 1997.

M. Qin and K. Hwang, “Frequent Episode Rules for Internet Traffic Analysis and Anomaly Detection,” Proc. IEEE Network Computing and Applications (NAC ’04), Sept. 2004.

D.J. Ragsdale, C.A. Carver, J. Humphries, and U. Pooch, “Adaptation Techniques for Intrusion Detection and Response Systems,” Proc. IEEE Int’l Conf. Systems, Man, and Cybernetics, pp. 2344-2349, Oct. 2000.

G.D. Ramkumar, S. Ranka, and S. Tsur, “Weighted Association Rules: Model and Algorithm,” Proc. Fourth ACM Int’l Conf. Knowledge Discovery and Data Mining, 1998.

M. Roesch, “SNORT—Lightweight Intrusion Detection for Networks,” Proc. USENIX 13th Systems Administration Conf. (LISA ’99), pp. 229-238, 1999.

F. Tao, F. Murtagh, and M. Farid, “Weighted Association Rule Mining Using Weighted Support and Significance Framework,” Proc. Ninth ACM Int’l Conf. Knowledge Discovery and Data Mining (SIGKDD), pp. 661-666, 2003.

G.B. White, E.A. Fisch, and U.W. Pooch, “Cooperating Security Managers: A Peer-Based Intrusion Detection System,” IEEE Network, pp. 20-23, Jan. 1996.

Y. Xie, H. Kim, D.R. O’Hallaron, M.K. Reiter, and H. Zhang, “Seurat: A Pointillist Approach to Anomaly Detection,” Proc. Seventh Int’l Symp. Recent Advances in Intrusion Detection (RAID ’04), 2004.

T. Lunt, “Detecting intruders in computer systems”. In Proceedings of the 1993 Conference on Auditing and Computer Technology, 1993.

T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. Neumann,H. Javitz, A. Valdes, and T. Garvey, “ A real-time intrusion detection expert system (IDES) - final technical report”, Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.