Weighting versus pruning in rule validation for detecting network and host anomalies

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback
Take a look at the new version of this page: [ beta version ]. Tell us what you think.

Weighting versus pruning in rule validation for detecting network and host anomalies

Full text

Pdf (791 KB)

Source

International Conference on Knowledge Discovery and Data Mining archive
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining table of contents

San Jose, California, USA

SESSION: Research track papers table of contents

Pages: 697 - 706

Year of Publication: 2007

ISBN:978-1-59593-609-7

Authors

Gaurav Tandon	Florida Institute of Technology
Philip K. Chan	Florida Institute of Technology

Sponsors

ACM: Association for Computing Machinery
SIGKDD: ACM Special Interest Group on Knowledge Discovery in Data
SIGMOD: ACM Special Interest Group on Management of Data

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 5, Downloads (12 Months): 94, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1281192.1281267 What is a DOI?

ABSTRACT

For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose to retain these rules and associate weights to them. We present three weighting schemes and our empirical results indicate that, for LERAD, rule weighting can detect more attacks than pruning with minimal computational overhead.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	2	W. Cohen. Fast Effective Rule Induction. ICML. 1995. 115--123.
	3	Henry Hanping Feng , Oleg M. Kolesnikov , Prahlad Fogla , Wenke Lee , Weibo Gong, Anomaly Detection Using Call Stack Information, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.62, May 11-14, 2003
	4	Anup K. Ghosh , Aaron Schwartzbard, A study in using neural networks for anomaly and misuse detection, Proceedings of the 8th conference on USENIX Security Symposium, p.12-12, August 23-26, 1999, Washington, D.C.
	5	K. Kendell. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. MIT. Cambridge, MA. 1999
	6	Richard Lippmann , Joshua W. Haines , David J. Fried , Jonathan Korba , Kumar Das, The 1999 DARPA off-line intrusion detection evaluation, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.579-595, Oct. 2000 [doi>10.1016/S1389-1286(00)00139-0]
	7	Matthew V. Mahoney , Philip K. Chan, Learning Rules for Anomaly Detection of Hostile Network Traffic, Proceedings of the Third IEEE International Conference on Data Mining, p.601, November 19-22, 2003
	8	R. Sekar , M. Bendre , D. Dhurjati , P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.144, May 14-16, 2001
	9	C. Warrender and S. Forrest and B. Pearlmutter. Detecting Intrusions Using System Calls: Alternative Data Models. IEEE Security and Privacy, 1999.
	10	Andreas Wespi , Marc Dacier , Hervé Debar, Intrusion Detection Using Variable-Length Audit Trail Patterns, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.110-129, October 02-04, 2000
	11	I. Witten and T. Bell. The zero-frequency problem: estimating the probabilities of novel events in adaptive text compression. IEEE Trans. Information Theory. 1991.
	12	Rakesh Agrawal , Ramakrishnan Srikant, Fast Algorithms for Mining Association Rules in Large Databases, Proceedings of the 20th International Conference on Very Large Data Bases, p.487-499, September 12-15, 1994
	13	Avrim Blum, Empirical Support for Winnow and Weighted-MajorityAlgorithms: Results on a Calendar Scheduling Domain, Machine Learning, v.26 n.1, p.5-23, Jan. 1997 [doi>10.1023/A:1007335615132]
	14	Nick Littlestone, Learning Quickly When Irrelevant Attributes Abound: A New Linear-Threshold Algorithm, Machine Learning, v.2 n.4, p.285-318, April 1988 [doi>10.1023/A:1022869011914]
	15	Nick Littlestone , Manfred K. Warmuth, The weighted majority algorithm, Information and Computation, v.108 n.2, p.212-261, Feb. 1, 1994 [doi>10.1006/inco.1994.1009]
	16	Robertson, W. and Vigna, G. and Kruegel, C. and Kemmerer, R. A., Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks. NDSS, 2006.
	17	Sandeep Bhatkar , Abhishek Chaturvedi , R. Sekar, Dataflow Anomaly Detection, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.48-62, May 21-24, 2006 [doi>10.1109/SP.2006.12]
	18	Debin Gao , Michael K. Reiter , Dawn Song, On gray-box program tracking for anomaly detection, Proceedings of the 13th conference on USENIX Security Symposium, p.8-8, August 09-13, 2004, San Diego, CA
	19	Barbara, D. and Couto, J. and Jajodia, S. and Popyack, L. and Wu, N., ADAM: Detecting Intrusions by Data Mining, IEEE Workshop on Information Assurance and Security, 2001.
	20	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	21	Vern Paxson, Bro: a system for detecting network intruders in real-time, Proceedings of the 7th conference on USENIX Security Symposium, p.3-3, January 26-29, 1998, San Antonio, Texas
	22	Anderson, D. and Lunt, T. F. and Javitz, H. and Tamaru, A. and Valdes, A., Detecting unusual program behavior using the statistical component of the Next generation Intrusion Detection Expert System (NIDES), Computer Science Laboratory SRI, "SRI-CSL-95-06", 1995.
	23	Stuart Staniford , James A. Hoagland , Joseph M. McAlerney, Practical automated detection of stealthy portscans, Journal of Computer Security, v.10 n.1-2, p.105-136, 2002
	24	Darren Mutz , Fredrik Valeur , Giovanni Vigna , Christopher Kruegel, Anomalous system call detection, ACM Transactions on Information and System Security (TISSEC), v.9 n.1, p.61-93, February 2006 [doi>10.1145/1127345.1127348]
	25	Christopher Krügel , Thomas Toth , Engin Kirda, Service specific anomaly detection for network intrusion detection, Proceedings of the 2002 ACM symposium on Applied computing, March 11-14, 2002, Madrid, Spain [doi>10.1145/508791.508835]
	26	Tandon, G. and Chan, P. K., On the learning of system call attributes for host--based anomaly detection, Intl. Journal on AI Tools, 15, 6, 875--892, 2006.
	27	Vern Paxson , Sally Floyd, Wide area traffic: the failure of Poisson modeling, IEEE/ACM Transactions on Networking (TON), v.3 n.3, p.226-244, June 1995 [doi>10.1109/90.392383]
	28	Flach, P .A., The many faces of ROC analysis in Machine Learning, ICML Tutorial, 2004.