Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2000)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1907))

Included in the following conference series:

Abstract

As the recent distributed Denial-of-Service (DDOS) attacks on several major Internet sites have shown us, no open computer network is immune from intrusions. Furthermore, intrusion detection systems (IDSs) need to be updated timely whenever a novel intrusion surfaces; and geographically distributed IDSs need to cooperate to detect distributed and coordinated intrusions. In this paper, we describe an experimental system, based on the Common Intrusion Detection Framework (CIDF), where multiple IDSs can exchange attack information to detect distributed intrusions. The system also includes an ID model builder, where a data mining engine can receive audit data of a novel attack from an IDS, compute a new detection model, and then distribute it to other IDSs. We describe our experiences in implementing such system and the preliminary results of deploying the system in an experimental network.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. W. W. Cohen. Fast effective rule induction. In Machine Learning: the 12th International Conference, Lake Taho, CA, 1995. Morgan Kaufmann.

    Google Scholar 

  2. D. Dittrich. Distributed denial of service (ddos) attacks and tools. http://staff.washington.edu/dittrich/misc/ddos/.

  3. R. Heady, G. Luger, A. Maccabe, and M. Servilla. The architecture of a network level intrusion detection system. Technical report, Computer Science Department, University of New Mexico, August 1990.

    Google Scholar 

  4. K. Ilgun, R. A. Kemmerer, and P. A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181–199, March 1995.

    Google Scholar 

  5. V. Jacobson, C. Leres, and S. McCanne. tcpdump. available via anonymous ftp to ftp://ftp.ee.lbl.gov/, June 1989.

  6. J. O. Kephart, G. B. Sorkin, M. Swimmer, and S. R. White. Blueprint for a computer immune system. Technical report, IBM T. J. Watson Research Center, Yorktown Heights, New York, 1997.

    Google Scholar 

  7. S. Kumar and E. H. Spafford. A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Information Security Conference, pages 194–204, 1995.

    Google Scholar 

  8. W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

    Google Scholar 

  9. W. Lee, S. J. Stolfo, and K. W. Mok. Mining audit data to build intrusion detection models. In Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, New York, NY, August 1998. AAAI Press.

    Google Scholar 

  10. W. Lee, S. J. Stolfo, and K. W. Mok. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999.

    Google Scholar 

  11. R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunninghan, and M. Zissman. Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, January 2000.

    Google Scholar 

  12. T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. Neumann, H. Javitz, A. Valdes, and T. Garvey. A real-time intrusion detection expert system (IDES)-final technical report. Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.

    Google Scholar 

  13. Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com, 1997.

  14. V. Paxson. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, 1998.

    Google Scholar 

  15. P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore MD, October 1997.

    Google Scholar 

  16. R. Rivest. S-expressions. Internet-Draft draft-rivest-sexp-00.txt, expired 1997.

    Google Scholar 

  17. S. Stainford-Chen. Common intrusion detection framework. http://seclab.cs.ucdavis.edu/cidf.

  18. B. Tung. The common intrusion specification language: A retrospective. In Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, January 2000.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, North Carolina State University, Raleigh, NC, 27695, USA

    Wenke Lee, Rahul A. Nimbalkar, Kam K. Yee, Sunil B. Patil, Pragneshkumar H. Desai & Thuan T. Tran

  2. Department of Computer Science, Columbia University, New York, NY, 10027, USA

    Salvatore J. Stolfo

Authors
  1. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rahul A. Nimbalkar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kam K. Yee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sunil B. Patil
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Pragneshkumar H. Desai
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Thuan T. Tran
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. France Télécom R & D, 42 Rue des Coutoures, 14000, Caen, France

    Hervé Debar

  2. SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France

    Ludovic Mé

  3. Department of Computer Science, 2063 Engineering II, University of California at Davis, One Shields Avenue, Davis, CA, 95616-8562, USA

    S. Felix Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2000 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lee, W. et al. (2000). A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions. In: Debar, H., Mé, L., Wu, S.F. (eds) Recent Advances in Intrusion Detection. RAID 2000. Lecture Notes in Computer Science, vol 1907. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39945-3_4

Download citation

  • DOI: https://doi.org/10.1007/3-540-39945-3_4

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-41085-0

  • Online ISBN: 978-3-540-39945-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation