A Framework for constructing Features and Models for Intrusion Detection Systems
Lee, W., & Stolfo, S.J. (2001). A Framework for constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security, 3, 227-261. Retrieved September 13, 2006, from the ACM Digital Library database.
In this article, Lee and Stolfo described Mining Audit Data for Automated Model for Intrusion Detection (MADAM ID), a framework that uses data mining to compute intrusion activity patterns and create intrusion detection models, and proposed improvements to make intrusion detection systems more systematic and automated.
Of the two main intrusion detection techniques, misuse detection focuses on identifying typical attack patterns and locations. Because novel attacks are non-typical, misuse detection methods are not effective in combating them. Also, non-typical or anomaly detection systems are apt to generate a higher rate of false alarms than misuse detection systems. To develop Intrusion Detection Systems (IDSs) to address these techniques, MADAM ID employs the use of data mining programs to collect large stores of data which is processed into ASCII network packet information. After being summarized as connection records, data mining programs are used to find re-occurring patterns and extract essential and non-essential features. Classification algorithms are then used to create intrusion detection models. The authors proposed introducing new tools to the framework including replacing manually coded intrusion patterns with learned rules, using patterns found in the audit data to selected system features, and using meta-learning as a means of creating a model that incorporates evidence from many base models and for predicting relationships by a number of classifications. The reasons for using meta-learning were to improve efficiency of combining intrusion detection models and improve the accuracy of classifications.
The authors experiments demonstrated that user anomaly detection models could be created using re-occurring patterns mined from audit data. The patterns could also be used as a guide for choosing statistical features to build classification models. The authors stated that since anomaly detection models are the only means of finding innovative intrusions, their future work would be creating algorithms for learning network anomaly detection models. The authors also indicated that ID models need to consider costs such as the costs of development, operation, damages of an intrusion, and detecting and responding to an intrusion.
In this article, Lee and Stolfo described Mining Audit Data for Automated Model for Intrusion Detection (MADAM ID), a framework that uses data mining to compute intrusion activity patterns and create intrusion detection models, and proposed improvements to make intrusion detection systems more systematic and automated.
Of the two main intrusion detection techniques, misuse detection focuses on identifying typical attack patterns and locations. Because novel attacks are non-typical, misuse detection methods are not effective in combating them. Also, non-typical or anomaly detection systems are apt to generate a higher rate of false alarms than misuse detection systems. To develop Intrusion Detection Systems (IDSs) to address these techniques, MADAM ID employs the use of data mining programs to collect large stores of data which is processed into ASCII network packet information. After being summarized as connection records, data mining programs are used to find re-occurring patterns and extract essential and non-essential features. Classification algorithms are then used to create intrusion detection models. The authors proposed introducing new tools to the framework including replacing manually coded intrusion patterns with learned rules, using patterns found in the audit data to selected system features, and using meta-learning as a means of creating a model that incorporates evidence from many base models and for predicting relationships by a number of classifications. The reasons for using meta-learning were to improve efficiency of combining intrusion detection models and improve the accuracy of classifications.
The authors experiments demonstrated that user anomaly detection models could be created using re-occurring patterns mined from audit data. The patterns could also be used as a guide for choosing statistical features to build classification models. The authors stated that since anomaly detection models are the only means of finding innovative intrusions, their future work would be creating algorithms for learning network anomaly detection models. The authors also indicated that ID models need to consider costs such as the costs of development, operation, damages of an intrusion, and detecting and responding to an intrusion.
posted by Dr. Adam Norten at 5:01 PM
0 Comments:
Post a Comment
<< Home