Skip to main content
SpringerLink
Log in
Book cover

Applications of Data Mining in Computer Security pp 153–193Cite as

Adaptive Model Generation

An Architecture for Deployment of Data Mining-based Intrusion Detection Systems

  • Chapter

Part of the book series: Advances in Information Security ((ADIS,volume 6))

Abstract

Data mining-based intrusion detection systems (IDSs) have significant advantages over signature-based IDSs since they are designed to generalize models of network audit data to detect new attacks. However, data mining-based IDSs are difficult to deploy in practice due to the complexity of collecting and managing audit data to train the data mining-based detection models. In this paper, we present Adaptive Model Generation (AMG), a real time architecture for implementing data mining-based intrusion detection systems. This architecture solves the problems associated with data mining-based IDSs by automating the collection of data, the generation and deployment of detection models, and the real-time evaluation of data. It is a distributed system with general classes of components that can be easily changed within the framework of the system. We also present specific examples of system components including auditing sub-systems, model generators for misuse detection and anomaly detection, and support for visualization and correlation of multiple audit sources.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  • Apap, F., Honig, A., Hershkop, S., Eskin, E., and Stoflo, S. (2001). Detecting malicious software by monitoring anomalous windows registry accesses. Technical report, CUCS Technical Report.

    Google Scholar 

  • Cohen, W. W. (1995). Fast effective rule induction. InInternational Conference on Machine Learningpages 115–123.

    Google Scholar 

  • Cristianini, N. and Shawe-Taylor, J. (2000). AnIntroduction to Support Vector Machines.Cambridge University Press, Cambridge, UK.

    Google Scholar 

  • Denning, D. (1987). An intrusion detection model. IEEE Transactions on Software Engineering SE-13:222–232.

    Article  Google Scholar 

  • Dios, P. D., El-Khalil, R., Sarantakos, K., Miller, M., Eskin, E., Lee, W., and Stolfo, S. (2001). Heuristic audit of network traffic: A data mining-based approach to network intrusion detection. Technical report, CUCS Technical Report.

    Google Scholar 

  • Eskin, E. (2000). Anomaly detection over noisy data using learned probability distributions. InProceedings of the Seventeenth International Conference on Machine Learning (ICML-2000).

    Google Scholar 

  • Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. Technical report, CUCS Technical Report.

    Google Scholar 

  • Eskin, E., Lee, W., and Stolfo, S. J. (2001). Modeling system calls for intrusion detection with dynamic window sizes. InProceedings of DARPA Information Survivabilty Conference and Exposition II (DISCEX H)Anaheim, CA.

    Google Scholar 

  • Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for unix processes. InProceedings of the 1996 IEEE Symposium on Security and Privacypages 120–128. IEEE Computer Society.

    Google Scholar 

  • Ghosh, A. and Schwartzbard, A. (1999). A study in using neural networks for anomaly and misuse detection. InProceedings of the Eighth USENIX Security Symposium.

    Google Scholar 

  • Hershkop, S., Apap, F., Glanz, E., D’alberti, T., Eskin, E., Stolfo, S., and Lee, J. (2001). Hobids: A data mining approach to host based intrusion detection. Technical report, CUCS Technical Report.

    Google Scholar 

  • Inc., N. F. R. (1997). Network flight recorder.http://www.nfr.com.

  • Internet Engineering Task Force (2000). Intrusion detection exchange format. In http://www.ietf.org/html.charters/idwg-charter.html.

    Google Scholar 

  • Lee, W. (1999). AData Mining Framework for Constructing Features and Models for Intrusion Detection Systems.PhD thesis, Columbia University.

    Google Scholar 

  • Lee, W. and Stolfo, S. J. (1998). Data mining approaches for intrusion detection. InIn Proceedings of the Seventh USENIX Security Symposium.

    Google Scholar 

  • Lee, W., Stolfo, S. J., and Chan, P. K. (1997). Learning patterns from unix processes execution traces for intrusion detection. InProceedings of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Managementpages 50–56. Menlo Park, CA: AAAI Press.

    Google Scholar 

  • Lee, W., Stolfo, S. J., and Mok, K. (1999). Data mining in work flow environments: Experiences in intrusion detection. InProceedings of the 1999 Conference on Knowledge Discovery and Data Mining (KDD99).

    Google Scholar 

  • Mahoney, M. and Chan, P. (2001). Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001–2, Florida Institute of Technology, Melbourne, FL.

    Google Scholar 

  • Paxson, V. (1998). Bro: A system for detecting network intruders in real time. In7th Annual USENIX Security Symposium.

    Google Scholar 

  • Portnoy, L., Eskin, E., and Stolfo, S. J. (2001). Intrusion detection with unlabeled data using clustering. InProceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001).

    Google Scholar 

  • Roesch, M. (1999). Snort - lightweight intrustion detection for networks. InProceedings of Lisa ‘89.

    Google Scholar 

  • Schölkopf, B., Platt, J., Shawe-Taylor, J., Smola, A. J., and Williamson, R. C. (1999). Estimating the support of a high-dimensional distribution. Technical Report 99–87, Microsoft Research. To appear inNeural Computation2001.

    Google Scholar 

  • Staniford-Chen, S., Tung, B., and Schnackenberg, D. (1998). The common intrusion detection framework (cidf). InProceedings of the Information Survivability Workshop.

    Google Scholar 

  • SysInternals (2000). Regmon for Windows NT/9x.Online publication. http://www.sysinternals.com/ntw2k/source/regmon.shtml.

    Google Scholar 

  • Vapnik, V. and Chervonenkis, A. (1974).Theory of Pattern Recognition [in Russian].Nauka, Moscow.(German Translation: W. Wapnik & A. TscherwonenkisTheorie der ZeichenerkennungAkademie—Verlag, Berlin, 1979).

    Google Scholar 

  • Warrender, C., Forrest, S., and Pearlmutter, B. (1999). Detecting intrusions using system calls: alternative data models. InProceedings of the 1999 IEEE Symposium on Security and Privacypages 133–145. IEEE Computer Society.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, Columbia

    Andrew Honig, Andrew Howard, Eleazar Eskin & Sal Stolfo

Authors
  1. Andrew Honig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew Howard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eleazar Eskin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sal Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. George Mason University, USA

    Daniel Barbará  & Sushil Jajodia  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer Science+Business Media New York

About this chapter

Cite this chapter

Honig, A., Howard, A., Eskin, E., Stolfo, S. (2002). Adaptive Model Generation. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-1-4615-0953-0_7

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4613-5321-8

  • Online ISBN: 978-1-4615-0953-0

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation