Adaptive intrusion detection: A data mining approach

W Lee, SJ Stolfo, KW Mok - Artificial Intelligence Review, 2000 - Springer
W Lee, SJ Stolfo, KW Mok
Artificial Intelligence Review, 2000Springer
In this paper we describe a data mining framework for constructingintrusion detection
models. The first key idea is to mine system auditdata for consistent and useful patterns of
program and user behavior. The other is to use the set of relevant system features presented
inthe patterns to compute inductively learned classifiers that canrecognize anomalies and
known intrusions. In order for the classifiersto be effective intrusion detection models, we
need to have sufficientaudit data for training and also select a set of predictive …
Abstract
In this paper we describe a data mining framework for constructingintrusion detection models. The first key idea is to mine system auditdata for consistent and useful patterns of program and user behavior.The other is to use the set of relevant system features presented inthe patterns to compute inductively learned classifiers that canrecognize anomalies and known intrusions. In order for the classifiersto be effective intrusion detection models, we need to have sufficientaudit data for training and also select a set of predictive systemfeatures. We propose to use the association rules and frequentepisodes computed from audit data as the basis for guiding the auditdata gathering and feature selection processes. We modify these twobasic algorithms to use axis attribute(s) and referenceattribute(s) as forms of item constraints to compute only therelevant patterns. In addition, we use an iterative level-wiseapproximate mining procedure to uncover the low frequency butimportant patterns. We use meta-learning as a mechanism to makeintrusion detection models more effective and adaptive. We report ourextensive experiments in using our framework on real-world audit data.
Springer