Article

Learning Rules for Anomaly Detection of Hostile Network Traffic

Authors:

Matthew V. Mahoney,

Philip K. ChanAuthors Info & Claims

ICDM '03: Proceedings of the Third IEEE International Conference on Data Mining

Page 601

Published: 19 November 2003 Publication History

Publisher Site

Abstract

We introduce an algorithm called LERAD that learnsrules for finding rare events in nominal time-series datawith long range dependencies. We use LERAD to findanomalies in network packets and TCP sessions to detectnovel intrusions. We evaluated LERAD on the 1999DARPA/Lincoln Laboratory intrusion detection evaluationdata set and on traffic collected in a universitydepartmental server environment.

References

[1]

R. Agrawal & R. Srikant, "Fast Algorithms for Mining Association Rules", Proc. 20th Intl. Conf. Very Large Data Bases, 1994.

Digital Library

Google Scholar

[2]

D. Barbara, J. Couto, S. Jajodia, L. Popyack, & N. Wu, "ADAM: Detecting Intrusions by Data Mining", Proc. IEEE Workshop on Information Assurance and Security, 2001, pp. 11-16.

Google Scholar

[3]

J. Hoagland, SPADE, Silicon Defense, http://www.silicondefense.com/software/spice/, 2000.

Google Scholar

[4]

W. E. Leland, M. S. Taqqu, W. Willinger, & D. W. Wilson, "On the Self-Similar Nature of Ethernet Traffic", Proc. ACM SIGComm, 1993.

Digital Library

Google Scholar

[5]

R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, & K. Das (2000), "The 1999 DARPA Off-Line Intrusion Detection Evaluation", Computer Networks 34(4), 2000, pp. 579-595.

Digital Library

Google Scholar

[6]

M. Mahoney. Source code for PHAD, ALAD, LERAD, NETAD, SAD, EVAL3, EVAL4, EVAL and AFIL.PL is available at http://cs.fit.edu/~mmahoney/dist/

Google Scholar

[7]

M. Mahoney & P. K. Chan, "Learning Rules for Anomaly Detection of Hostile Network Traffic", Florida Tech. technical report CS-2003-16, 2003.

Digital Library

Google Scholar

[8]

V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time", Proc. 7'th USENIX Security Symposium, 1998.

Digital Library

Google Scholar

[9]

V. Paxson, S. Floyd, "The Failure of Poisson Modeling", IEEE/ACM Transactions on Networking (3), 1995, pp. 226-244.

Digital Library

Google Scholar

[10]

M. Roesch, "Snort - Lightweight Intrusion Detection for Networks", Proc. USENIX Lisa, 1999.

Digital Library

Google Scholar

[11]

A. Valdes & K. Skinner, "Adaptive, Model-based Monitoring for Cyber Attack Detection", Proc. RAID, 2000, pp. 80-92.

Digital Library

Google Scholar

Cited By

View all

Liu MXue ZXu XZhong CChen J(2018)Host-Based Intrusion Detection System with System CallsACM Computing Surveys10.1145/321430451:5(1-36)Online publication date: 19-Nov-2018
https://dl.acm.org/doi/10.1145/3214304
AIT TCHAKOUCHT TEZZIYYANI M(2018)Building A Fast Intrusion Detection System For High-Speed-NetworksProcedia Computer Science10.1016/j.procs.2018.01.151127:C(521-530)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1016/j.procs.2018.01.151
Bian YLiu BLi YGao J(2016)Characterizing network traffic behaviour using granule-based association rule miningNetworks10.1002/nem.193526:4(308-329)Online publication date: 1-Jul-2016
https://dl.acm.org/doi/10.1002/nem.1935
Show More Cited By

Index Terms

Learning Rules for Anomaly Detection of Hostile Network Traffic
1. Mathematics of computing
  1. Probability and statistics
    1. Statistical paradigms
      1. Time series analysis
2. Networks
  1. Network protocols
  2. Network types
    1. Packet-switching networks

Recommendations

Towards an immunity-based anomaly detection system for network traffic
KES'06: Proceedings of the 10th international conference on Knowledge-Based Intelligent Information and Engineering Systems - Volume Part II

We have applied our previous immunity-based system to anomaly detection for network traffic, and confirmed that our system outperformed the single-profile method. For internal masquerader detection, the missed alarm rate was 11.21% with no false alarms. ...
A new approach to network traffic anomaly detection
Network traffic anomaly detection based on packet bytes
SAC '03: Proceedings of the 2003 ACM symposium on Applied computing

Hostile network traffic is often "different" from benign traffic in ways that can be distinguished without knowing the nature of the attack. We describe a two stage anomaly detection system for identifying suspicious traffic. First, we filter traffic to ...

Comments

Information & Contributors

Information

Published In

ICDM '03: Proceedings of the Third IEEE International Conference on Data Mining

November 2003

ISBN:0769519784

Publisher

IEEE Computer Society

United States

Publication History

Published: 19 November 2003

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Liu MXue ZXu XZhong CChen J(2018)Host-Based Intrusion Detection System with System CallsACM Computing Surveys10.1145/321430451:5(1-36)Online publication date: 19-Nov-2018
https://dl.acm.org/doi/10.1145/3214304
AIT TCHAKOUCHT TEZZIYYANI M(2018)Building A Fast Intrusion Detection System For High-Speed-NetworksProcedia Computer Science10.1016/j.procs.2018.01.151127:C(521-530)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1016/j.procs.2018.01.151
Bian YLiu BLi YGao J(2016)Characterizing network traffic behaviour using granule-based association rule miningNetworks10.1002/nem.193526:4(308-329)Online publication date: 1-Jul-2016
https://dl.acm.org/doi/10.1002/nem.1935
Margara ACugola GTamburrelli GBellur UKothari R(2014)Learning from the pastProceedings of the 8th ACM International Conference on Distributed Event-Based Systems10.1145/2611286.2611289(47-58)Online publication date: 26-May-2014
https://dl.acm.org/doi/10.1145/2611286.2611289
Tang GBailey JPei JDong G(2013)Mining multidimensional contextual outliers from categorical relational dataProceedings of the 25th International Conference on Scientific and Statistical Database Management10.1145/2484838.2484883(1-4)Online publication date: 29-Jul-2013
https://dl.acm.org/doi/10.1145/2484838.2484883
Liu BXiao YCao LHao ZDeng F(2013)SVDD-based outlier detection on uncertain dataKnowledge and Information Systems10.1007/s10115-012-0484-y34:3(597-618)Online publication date: 1-Mar-2013
https://dl.acm.org/doi/10.1007/s10115-012-0484-y
Joshi MLingras P(2013)Enhancing Rough Clustering with Outlier Detection Based on Evidential ClusteringProceedings of the 14th International Conference on Rough Sets, Fuzzy Sets, Data Mining, and Granular Computing - Volume 817010.1007/978-3-642-41218-9_14(127-137)Online publication date: 11-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-642-41218-9_14
François JState REngel TFestor OChemouil PMehaoua AFestor OLupu E(2011)Enforcing security with behavioral fingerprintingProceedings of the 7th International Conference on Network and Services Management10.5555/2147671.2147682(64-72)Online publication date: 24-Oct-2011
https://dl.acm.org/doi/10.5555/2147671.2147682
Orair GTeixeira CMeira WWang YParthasarathy S(2010)Distance-based outlier detectionProceedings of the VLDB Endowment10.14778/1920841.19210213:1-2(1469-1480)Online publication date: 1-Sep-2010
https://dl.acm.org/doi/10.14778/1920841.1921021
Brauckhoff DDimitropoulos XWagner ASalamatian KFeldmann AMathy L(2009)Anomaly extraction in backbone networks using association rulesProceedings of the 9th ACM SIGCOMM conference on Internet measurement10.1145/1644893.1644897(28-34)Online publication date: 4-Nov-2009
https://dl.acm.org/doi/10.1145/1644893.1644897
Show More Cited By

Abstract

References

Cited By

Index Terms

Recommendations

Towards an immunity-based anomaly detection system for network traffic

A new approach to network traffic anomaly detection

Network traffic anomaly detection based on packet bytes

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations