Abstract
Data mining-based intrusion detection systems (IDSs) have significant advantages over signature-based IDSs since they are designed to generalize models of network audit data to detect new attacks. However, data mining-based IDSs are difficult to deploy in practice due to the complexity of collecting and managing audit data to train the data mining-based detection models. In this paper, we present Adaptive Model Generation (AMG), a real time architecture for implementing data mining-based intrusion detection systems. This architecture solves the problems associated with data mining-based IDSs by automating the collection of data, the generation and deployment of detection models, and the real-time evaluation of data. It is a distributed system with general classes of components that can be easily changed within the framework of the system. We also present specific examples of system components including auditing sub-systems, model generators for misuse detection and anomaly detection, and support for visualization and correlation of multiple audit sources.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Apap, F., Honig, A., Hershkop, S., Eskin, E., and Stoflo, S. (2001). Detecting malicious software by monitoring anomalous windows registry accesses. Technical report, CUCS Technical Report.
Cohen, W. W. (1995). Fast effective rule induction. InInternational Conference on Machine Learningpages 115–123.
Cristianini, N. and Shawe-Taylor, J. (2000). AnIntroduction to Support Vector Machines.Cambridge University Press, Cambridge, UK.
Denning, D. (1987). An intrusion detection model. IEEE Transactions on Software Engineering SE-13:222–232.
Dios, P. D., El-Khalil, R., Sarantakos, K., Miller, M., Eskin, E., Lee, W., and Stolfo, S. (2001). Heuristic audit of network traffic: A data mining-based approach to network intrusion detection. Technical report, CUCS Technical Report.
Eskin, E. (2000). Anomaly detection over noisy data using learned probability distributions. InProceedings of the Seventeenth International Conference on Machine Learning (ICML-2000).
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. Technical report, CUCS Technical Report.
Eskin, E., Lee, W., and Stolfo, S. J. (2001). Modeling system calls for intrusion detection with dynamic window sizes. InProceedings of DARPA Information Survivabilty Conference and Exposition II (DISCEX H)Anaheim, CA.
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for unix processes. InProceedings of the 1996 IEEE Symposium on Security and Privacypages 120–128. IEEE Computer Society.
Ghosh, A. and Schwartzbard, A. (1999). A study in using neural networks for anomaly and misuse detection. InProceedings of the Eighth USENIX Security Symposium.
Hershkop, S., Apap, F., Glanz, E., D’alberti, T., Eskin, E., Stolfo, S., and Lee, J. (2001). Hobids: A data mining approach to host based intrusion detection. Technical report, CUCS Technical Report.
Inc., N. F. R. (1997). Network flight recorder.http://www.nfr.com.
Internet Engineering Task Force (2000). Intrusion detection exchange format. In http://www.ietf.org/html.charters/idwg-charter.html.
Lee, W. (1999). AData Mining Framework for Constructing Features and Models for Intrusion Detection Systems.PhD thesis, Columbia University.
Lee, W. and Stolfo, S. J. (1998). Data mining approaches for intrusion detection. InIn Proceedings of the Seventh USENIX Security Symposium.
Lee, W., Stolfo, S. J., and Chan, P. K. (1997). Learning patterns from unix processes execution traces for intrusion detection. InProceedings of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Managementpages 50–56. Menlo Park, CA: AAAI Press.
Lee, W., Stolfo, S. J., and Mok, K. (1999). Data mining in work flow environments: Experiences in intrusion detection. InProceedings of the 1999 Conference on Knowledge Discovery and Data Mining (KDD99).
Mahoney, M. and Chan, P. (2001). Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001–2, Florida Institute of Technology, Melbourne, FL.
Paxson, V. (1998). Bro: A system for detecting network intruders in real time. In7th Annual USENIX Security Symposium.
Portnoy, L., Eskin, E., and Stolfo, S. J. (2001). Intrusion detection with unlabeled data using clustering. InProceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001).
Roesch, M. (1999). Snort - lightweight intrustion detection for networks. InProceedings of Lisa ‘89.
Schölkopf, B., Platt, J., Shawe-Taylor, J., Smola, A. J., and Williamson, R. C. (1999). Estimating the support of a high-dimensional distribution. Technical Report 99–87, Microsoft Research. To appear inNeural Computation2001.
Staniford-Chen, S., Tung, B., and Schnackenberg, D. (1998). The common intrusion detection framework (cidf). InProceedings of the Information Survivability Workshop.
SysInternals (2000). Regmon for Windows NT/9x.Online publication. http://www.sysinternals.com/ntw2k/source/regmon.shtml.
Vapnik, V. and Chervonenkis, A. (1974).Theory of Pattern Recognition [in Russian].Nauka, Moscow.(German Translation: W. Wapnik & A. TscherwonenkisTheorie der ZeichenerkennungAkademie—Verlag, Berlin, 1979).
Warrender, C., Forrest, S., and Pearlmutter, B. (1999). Detecting intrusions using system calls: alternative data models. InProceedings of the 1999 IEEE Symposium on Security and Privacypages 133–145. IEEE Computer Society.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer Science+Business Media New York
About this chapter
Cite this chapter
Honig, A., Howard, A., Eskin, E., Stolfo, S. (2002). Adaptive Model Generation. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_7
Download citation
DOI: https://doi.org/10.1007/978-1-4615-0953-0_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4613-5321-8
Online ISBN: 978-1-4615-0953-0
eBook Packages: Springer Book Archive