A framework for constructing features and models for intrusion detection systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A framework for constructing features and models for intrusion detection systems

Full text

Pdf (187 KB)

Source

ACM Transactions on Information and System Security (TISSEC) archive
Volume 3 , Issue 4 (November 2000) table of contents

Pages: 227 - 261

Year of Publication: 2000

ISSN:1094-9224

Authors

Wenke Lee	Georgia Institute of Technology, Atlanta
Salvatore J. Stolfo	Columbia Univ., New York, NY

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 62, Downloads (12 Months): 583, Citation Count: 55

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/382912.382914 What is a DOI?

ABSTRACT

Intrusion detection (ID) is an important component of infrastructure protection mechanisms. Intrusion detection systems (IDSs) need to be accurate, adaptive, and extensible. Given these requirements and the complexities of today's network environments, we need a more systematic and automated IDS development process rather that the pure knowledge encoding and engineering approaches. This article describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion Detection. This framework uses data mining algorithms to compute activity patterns from system audit data and extracts predictive features from the patterns. It then applies machine learning algorithms to the audit records taht are processed according to the feature definitions to generate intrusion detection rules. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems. We also briefly discuss our experience in converting the detection models produced by off-line data mining programs to real-time modules of existing IDSs.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Rakesh Agrawal , Tomasz Imieliński , Arun Swami, Mining association rules between sets of items in large databases, Proceedings of the 1993 ACM SIGMOD international conference on Management of data, p.207-216, May 25-28, 1993, Washington, D.C., United States
	2	ALLEN, J., CHRISTIE, A., FITHEN, W., MCHUGH, J., PICKEL, J., AND STONER, E. 2000. State of the practice of intrusion detection technologies. CMU/SEI-99-TR-028,CMU/SEI. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.
	3	ANDERSON, D., FRIVOLD, T., AND VALDES, A. 1995. Next-generation intrusion detection expert system (NIDES): A summary. SRI-CSL-95-07 (May).
	4	CHAN,P.K.AND STOLFO, S. J. 1993. Toward parallel and distributed learning by metalearning. In Proceedings of the AAAI Workshop on Knowledge Discovery in Databases. 227-240.
	5	COHEN, W. W. 1995. Fast effective rule induction. In Proceedings of 12th International Conference on Machine Learning (Lake Tahoe, CA). Morgan Kaufmann, San Mateo, CA.
	6	Usama Fayyad , Gregory Piatetsky-Shapiro , Padhraic Smyth, The KDD process for extracting useful knowledge from volumes of data, Communications of the ACM, v.39 n.11, p.27-34, Nov. 1996 [doi>10.1145/240455.240464]
	7	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	8	GHOSH,A.K.AND SCHWARTZBARD, A. 1999. A study in using neural networks for anomaly and misuse detection. In Proceedings of the 8th Security Symposium on USENIX (USENIX, Aug.).
	9	ILGUN, K. 1992. USTAT: A real-time intrusion detection system for Unix. Master's Thesis. University of California at Santa Barbara, Santa Barbara, CA.
	10	Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995 [doi>10.1109/32.372146]
	11	JACOBSON, V., LERES, C., AND MCCANNE, S. 1989. Tcpdump. available via anonymous ftp to ftp.ee.lbl.gov.
	12	KO, C., FINK, G., AND LEVITT, K. 1994. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Proceedings of the 10th Conference on Computer Security Applications (Dec.). IEEE Computer Society Press, Los Alamitos, CA, 134-144.
	13	KUMAR,S.AND SPAFFORD, E. H. 1995. A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Conference on Information Security. 194-204.
	14	Terran Lane , Carla E. Brodley, Temporal sequence learning and data reduction for anomaly detection, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.295-331, Aug. 1999 [doi>10.1145/322510.322526]
	15	Wenke Lee , Salvatore J. Stolfo, A data mining framework for constructing features and models for intrusion detection systems (computer security, network security), 1999
	16	LEE,W.AND STOLFO, S. J. 1998. Data mining approaches for intrusion detection. In Proceedings of the 7th Symposium on USENIX Security (San Antonio, TX, Jan.).
	17	LEE, W., STOLFO,S.J.,AND MOK, K. W. 1999. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (Oakland, California, May).
	18	Wenke Lee , Salvatore J. Stolfo , Kui W. Mok, Mining in a data-flow environment: experience in network intrusion detection, Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, p.114-124, August 15-18, 1999, San Diego, California, United States [doi>10.1145/312129.312212]
	19	LIPPMANN,R.P.,FRIED, D., GRAF, I., HAINES, J., KENDALL, K., MCCLUNG, D., WEBBER, D., WEBSTER, S., WYSCHOGRAD, D., CUNNINGHAN, R., AND ZISSMAN, M. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of the on DARPA Information Survivability Conference and Exposition (DISCEX '00, Hilton Head, South Carolina, Jan. 25-27). IEEE Computer Society Press, Los Alamitos, CA, 12-26.
	20	LUNT, T. 1993. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology.
	21	LUNT, T., TAMARU, A., GILHAM, F., JAGANNATHAN, R., NEUMANN, P., JAVITZ, H., VALDES, A., AND GARVEY, T. 1992. A real-time intrusion detection expert system (IDES) - final technical report.
	22	MANNILA,H.AND TOIVONEN, H. 1996. Discovering generalized episodes using minimal occurrences. In Proceedings of the 2nd International Conference on Knowledge Discovery in Databases and Data Mining (Portland, OR, Aug.).
	23	MANNILA, H., TOIVONEN, H., AND VERKAMO, A. I. 1995. Discovering frequent episodes in sequences. In Proceedings of the First International Conference on Knowledge Discovery in Databases and Data Mining (Montreal, Canada, Aug. 20-21).
	24	Thomas M. Mitchell, Machine Learning, McGraw-Hill Higher Education, 1997
	25	MUKHERJEE, B., HEBERLEIN,L.T.,AND LEVITT, K. N. 1994. Network intrusion detection. IEEE Network 8, 1 (Jan.).
	26	NETWORK FLIGHT RECORDER INC. 1997. Network flight recorder. http://www.nfr.com
	27	PAXSON, V. 1998. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th Symposium on USENIX Security (San Antonio, TX, Jan.).
	28	PORRAS,P.AND NEUMANN, P. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Conference on National Information Systems Security. Vol.1 (Baltimore, MD). National Institute of Standards and Technology, Gaithersburg, MD, 353-365.
	29	STOLFO,S.J.,PRODROMIDIS,A.L.,TSELEPIS, S., LEE, W., FAN,D.W.,AND CHAN, P. K. 1997. JAM: Java agents for meta-learning over distributed databases. In Proceedings of the 3rd ACM SIGMOD International Workshop on Data Mining and Knowledge Discovery (SIG-MOD- 96, Newport Beach, CA, Aug.), R. Ng, Ed. ACM Press, New York, NY, 74-81.
	30	SUNSOFT. 1995. SunSHIELD Basic Security Module Guide.
	31	WARRENDER, C., FORREST, S., AND PERLMUTTER, B. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Computer Society Symposium on Research in Security and Privacy (Berkeley, CA, May). IEEE Computer Society Press, Los Alamitos, CA, 133-145.

CITED BY 56

	Wenke Lee, Applying data mining to intrusion detection: the quest for automation, efficiency, and credibility, ACM SIGKDD Explorations Newsletter, v.4 n.2, p.35-42, December 2002
	Salvatore J. Stolfo , Wenke Lee , Philip K. Chan , Wei Fan , Eleazar Eskin, Data mining-based intrusion detectors: an overview of the columbia IDS project, ACM SIGMOD Record, v.30 n.4, December 2001
	Peng Ning , Sushil Jajodia , Xiaoyang Sean Wang, Abstraction-based intrusion detection in distributed environments, ACM Transactions on Information and System Security (TISSEC), v.4 n.4, p.407-452, November 2001
	Zhuowei Li , Amitabha Das, Analyzing and evaluating dynamics in stide performance for intrusion detection, Knowledge-Based Systems, v.19 n.7, p.576-591, November, 2006
	Mustaque Ahamad , Leo Mark , Wenke Lee , Edward Omicienski , Andre dos Santos , Ling Liu , Calton Pu, Guarding the next Internet frontier: countering denial of information attacks, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia
	Klaus Julisch , Marc Dacier, Mining intrusion detection alarms for actionable knowledge, Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 23-26, 2002, Edmonton, Alberta, Canada
	Christopher Kruegel , Giovanni Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Klaus Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.443-471, November 2003
	Qingbo Yin , Rubo Zhang , Xueyao Li, An new intrusion detection method based on linear prediction, Proceedings of the 3rd international conference on Information security, November 14-16, 2004, Shanghai, China
	Tysen Leckie , Alec Yasinsac, Metadata for Anomaly-Based Security Protocol Attack Deduction, IEEE Transactions on Knowledge and Data Engineering, v.16 n.9, p.1157-1168, September 2004
	Wenke Lee , Wei Fan, Mining system audit data: opportunities and challenges, ACM SIGMOD Record, v.30 n.4, December 2001
	Michael Gertz , George Csaba, Monitoring mission critical data for integrity and availability, Integrity and internal control in information systems V, Kluwer Academic Publishers, Norwell, MA, 2003
	Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
	Srinivas Mukkamala , Andrew H. Sung , Ajith Abraham, Intrusion detection using an ensemble of intelligent paradigms, Journal of Network and Computer Applications, v.28 n.2, p.167-182, April 2005
	Cliff C. Zou , Weibo Gong , Don Towsley , Lixin Gao, The monitoring and early detection of internet worms, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.961-974, October 2005
	Xiao-Bai Li, A scalable decision tree system and its application in pattern recognition and intrusion detection, Decision Support Systems, v.41 n.1, p.112-130, November 2005
	Giorgio Giacinto , Fabio Roli , Luca Didaci, Fusion of multiple classifiers for intrusion detection in computer networks, Pattern Recognition Letters, v.24 n.12, p.1795-1803, August 2003
	ShengYi Jiang , Xiaoyu Song , Hui Wang , Jian-Jun Han , Qing-Hua Li, A clustering-based method for unsupervised intrusion detections, Pattern Recognition Letters, v.27 n.7, p.802-810, May 2006
	Andrea Bosin , Nicoletta Dessì , Barbara Pes, Intelligent Bayesian classifiers in network intrusion detection, Proceedings of the 18th international conference on Innovations in Applied Artificial Intelligence, p.445-447, June 22-24, 2005, Bari, Italy
	Maheshkumar Sabhnani , Gursel Serpen, Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set, Intelligent Data Analysis, v.8 n.4, p.403-415, September 2004
	Agustín Orfila , Javier Carbó , Arturo Ribagorda, Autonomous decision on intrusion detection with trained BDI agents, Computer Communications, v.31 n.9, p.1803-1813, June, 2008
	Latifur Khan , Mamoun Awad , Bhavani Thuraisingham, A new intrusion detection system using support vector machines and hierarchical clustering, The VLDB Journal — The International Journal on Very Large Data Bases, v.16 n.4, p.507-521, October 2007
	Liwei Kuang , Mohammad Zulkernine, An anomaly intrusion detection method using the CSI-KNN algorithm, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil
	Anália G. Lourenço , Orlando O. Belo, Catching web crawlers in the act, Proceedings of the 6th international conference on Web engineering, July 11-14, 2006, Palo Alto, California, USA
	Shrijit S. Joshi , Vir V. Phoha, Investigating hidden Markov models capabilities in anomaly detection, Proceedings of the 43rd annual southeast regional conference, March 18-20, 2005, Kennesaw, Georgia
	Taneli Mielikäinen , Evimaria Terzi , Panayiotis Tsaparas, Aggregating time partitions, Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, August 20-23, 2006, Philadelphia, PA, USA
	Guisong Liu , Zhang Yi , Shangming Yang, Letters: A hierarchical intrusion detection model based on the PCA neural networks, Neurocomputing, v.70 n.7-9, p.1561-1568, March, 2007
	Yihua Liao , V. Rao Vemuri , Alejandro Pasos, Adaptive anomaly detection with evolving connectionist systems, Journal of Network and Computer Applications, v.30 n.1, p.60-80, January 2007
	Weidong Cui , Randy H. Katz , Wai-tian Tan, BINDER: an extrusion-based break-in detector for personal computers, Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference, p.18-18, April 10-15, 2005, Anaheim, CA
	A. A. Abimbola , J. M. Munoz , W. J. Buchanan, NetHost-sensor: Monitoring a target host's application via system calls, Information Security Tech. Report, v.11 n.4, p.166-175, January, 2006
	Guofei Gu , Alvaro A. Cárdenas , Wenke Lee, Principled reasoning and practical applications of alert fusion in intrusion detection systems, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
	Chi-Ho Tsang , Sam Kwong , Hanli Wang, Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection, Pattern Recognition, v.40 n.9, p.2373-2391, September, 2007
	Meng Yu , Peng Liu , Wanyu Zang, Specifying and using intrusion masking models to process distributed operations, Journal of Computer Security, v.13 n.4, p.623-658, July 2005
	Michihiro Kuramochi , George Karypis, Finding Frequent Patterns in a Large Sparse Graph*, Data Mining and Knowledge Discovery, v.11 n.3, p.243-271, November 2005
	Damiano Bolzoni , Bruno Crispo , Sandro Etalle, ATLANTIDES: an architecture for alert verification in network intrusion detection systems, Proceedings of the 21st conference on 21st Large Installation System Administration Conference, p.1-12, November 11-16, 2007, Dallas
	Zhenwei Yu , Jeffrey J. P. Tsai , Thomas Weigert, An adaptive automatically tuning intrusion detection system, ACM Transactions on Autonomous and Adaptive Systems (TAAS), v.3 n.3, p.1-25, August 2008
	Giorgio Giacinto , Roberto Perdisci , Mauro Del Rio , Fabio Roli, Intrusion detection in computer networks by a modular ensemble of one-class classifiers, Information Fusion, v.9 n.1, p.69-82, January, 2008
	Cheng Xiang , Png Chin Yong , Lim Swee Meng, Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees, Pattern Recognition Letters, v.29 n.7, p.918-924, May, 2008
	James V. Hansen , Paul Benjamin Lowry , Rayman D. Meservy , Daniel M. McDonald, Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection, Decision Support Systems, v.43 n.4, p.1362-1374, August, 2007
	Mei-Ling Shyu , Thiago Quirino , Zongxing Xie , Shu-Ching Chen , Liwu Chang, Network intrusion detection through Adaptive Sub-Eigenspace Modeling in multiagent systems, ACM Transactions on Autonomous and Adaptive Systems (TAAS), v.2 n.3, p.9-es, September 2007
	Morteza Analoui , Behrouz Minaei Bidgoli , Mohammad Hossein Rezvani, Hierarchical two-tier ensemble learning: a new paradigm for network intrusion detection, Proceedings of the ACM first Ph.D. workshop in CIKM, November 09-09, 2007, Lisbon, Portugal
	Wei Wang , Xiaohong Guan , Xiangliang Zhang, Processing of massive audit data streams for real-time anomaly intrusion detection, Computer Communications, v.31 n.1, p.58-72, January, 2008
	Tak-Chung Fu , Chung-Leung Lui, Agent-oriented network intrusion detection system using data mining approaches, International Journal of Agent-Oriented Software Engineering, v.1 n.2, p.158-174, July 2007
	Yu Liu , Cristina Comaniciu , Hong Man, Modelling misbehaviour in ad hoc networks: a game theoretic approach for intrusion detection, International Journal of Security and Networks, v.1 n.3/4, p.243-254, December 2006
	Meng Yu , Peng Liu , Wanyu Zang, The implementation and evaluation of a recovery system for workflows, Journal of Network and Computer Applications, v.32 n.1, p.158-183, January, 2009
	Marius Kloft , Ulf Brefeld , Patrick Düessel , Christian Gehl , Pavel Laskov, Automatic feature selection for anomaly detection, Proceedings of the 1st ACM workshop on Workshop on AISec, October 27-27, 2008, Alexandria, Virginia, USA
	Kai Hwang , Min Cai , Ying Chen , Min Qin, Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes, IEEE Transactions on Dependable and Secure Computing, v.4 n.1, p.41-55, January 2007
	Shijie Zhang , Shirong Li , Jiong Yang, GADDI: distance index based subgraph matching in biological networks, Proceedings of the 12th International Conference on Extending Database Technology: Advances in Database Technology, March 24-26, 2009, Saint Petersburg, Russia
	Vegard Engen , Jonathan Vincent , Keith Phalp, Enhancing network based intrusion detection for imbalanced data, International Journal of Knowledge-based and Intelligent Engineering Systems, v.12 n.5,6, p.357-367, December 2008
	Kamran Shafi , Tim Kovacs , Hussein A. Abbass , Weiping Zhu, Intrusion detection with evolutionary learning classifier systems, Natural Computing: an international journal, v.8 n.1, p.3-27, March 2009
	Rachid Beghdad, Efficient deterministic method for detecting new U2R attacks, Computer Communications, v.32 n.6, p.1104-1110, April, 2009
	Igino Corona , Giorgio Giacinto , Claudio Mazzariello , Fabio Roli , Carlo Sansone, Information fusion for computer security: State of the art and open issues, Information Fusion, v.10 n.4, p.274-284, October, 2009
	Liang-Bin Lai , Ray-I Chang , Jen-Shiang Kouh, Detecting network intrusions using signal processing with query-based sampling filter, EURASIP Journal on Advances in Signal Processing, 2009, p.1-8, January 2009
	E. Hernández-Pereira , J. A. Suárez-Romero , O. Fontenla-Romero , A. Alonso-Betanzos, Conversion methods for symbolic features: A comparison applied to an intrusion detection problem, Expert Systems with Applications: An International Journal, v.36 n.7, p.10612-10617, September, 2009
	Nima Sharifimehr , Samira Sadaoul, Markovian workload modeling for Enterprise Application Servers, Proceedings of the 2nd Canadian Conference on Computer Science and Software Engineering, May 19-21, 2009, Montreal, Quebec, Canada
	Jun Gao , Weiming Hu , Xiaoqin Zhang , Xi Li, Adaptive Distributed Intrusion Detection Using Parametric Model, Proceedings of the 2009 IEEE/WIC/ACM International Joint Conference on Web Intelligence and Intelligent Agent Technology, p.675-678, September 15-18, 2009

INDEX TERMS

Primary Classification:
C. Computer Systems Organization
C.2 COMPUTER-COMMUNICATION NETWORKS
C.2.0 General
Subjects: Security and protection (e.g., firewalls)

Additional Classification:
C. Computer Systems Organization
C.2 COMPUTER-COMMUNICATION NETWORKS
C.2.3 Network Operations
Subjects: Network monitoring

H. Information Systems
H.2 DATABASE MANAGEMENT
H.2.8 Database applications
Subjects: Data mining

I. Computing Methodologies
I.2 ARTIFICIAL INTELLIGENCE
I.2.6 Learning
Subjects: Concept learning

General Terms:
Design, Experimentation, Security

Keywords:
data mining, feature construction, intrusion detection

REVIEW

"Seyoum S. Zegiorgis : Reviewer"

The research paper is a lengthy discussion of a data mining framework for constructing an intrusion detection model. The paper shows how to apply data mining programs to audit data for computing frequent patterns and extracting features unique more...

Collaborative Colleagues:

Wenke Lee: colleagues

Salvatore J. Stolfo: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player