Data Mining Approaches for Intrusion Detection

Get BibTex-formatted data

Author

Wenke Lee, Salvatore J. Stolfo

Entry type

techreport

Abstract

In this paper we discuss our research in developing general and systematic methods for intrusion detection. The key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavior, and use the set of relevant system features to compute (inductively learned) classifiers that can be recognize anomalies and known intrusions. Using experiments on the sendmail system call data and the network tcpdump data, we demonstrate that we can construct concise and accurate classifiers to detect anomalies. We provide an overview on two general data mining algorithms that we have implemented: the association rules algorithm and the frequent episodes algorithm. These algorithms can be used toi compute the intra- and inter- audit record paterns, which are essential in describing program or user behavior. The discovered patterns can guide the audit data gathering process and facilitate feature selection. To meet the challenges of both efficient learning (mining) and real-time detection, we propose an agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents.

URL

http://www.usenix.org/publicat ... ers/lee/lee_html/lee.html

Address

500 West 120th Street, New York, NY 10027

Key alpha

Lee

Publisher

Columbia University

Affiliation

Columbia University

Publication Date

2001-01-01

Keywords

sendmail, tcpdump

Language

English

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ Lee,
	title = "Data Mining Approaches for Intrusion Detection",
	author = "Wenke Lee, Salvatore J. Stolfo",
	address = "500 West 120th Street, New York, NY 10027",
	publisher = "Columbia University",
	abstract = "In this paper we discuss our research in developing general and systematic methods for intrusion detection.  The key ideas are to use data mining techniques to discover consistent and useful patterns of system features that describe program and user behavior, and use the set of relevant system features to compute (inductively learned) classifiers that can be recognize anomalies and known intrusions.  Using experiments on the sendmail system call data and the network tcpdump data, we demonstrate that we can construct concise and accurate classifiers to detect anomalies.  We provide an overview on two general data mining algorithms that we have implemented: the association rules algorithm and the frequent episodes algorithm.  These algorithms can be used toi compute the intra- and inter- audit record paterns, which are essential in describing program or user behavior.  The discovered patterns can guide the audit data gathering process and facilitate feature selection.  To meet the challenges of both efficient learning (mining) and real-time detection, we propose an agent-based architecture for intrusion detection systems where the learning agents continuously compute and provide the updated (detection) models to the detection agents.",
	affiliation = "Columbia University",
	keywords = "sendmail, tcpdump",
	language = "English",
	url = "http://www.usenix.org/publications/library/proceedings/sec98/full_papers/full_papers/lee/lee_html/lee.html",
}