Qiang Duan
ABSTRACT
Two main approaches for network intrusion detection are misuse detection [6] and anomaly detection [11]. The limitation of the misuse approach is that cannot effectively detect new patterns of intrusions that are not precisely encoded in the system [11]. The anomaly detection approach usually produces a large number of false alarms [1, 7]. In addition, anomaly detection requires intensive computations on a large amount of training data to characterize normal behavior patterns.In this paper, we try to apply interval technology to enhance network intrusion detection systems (IDS). By storing network state data into interval valued bi-temporal database, we better sample the stream of network states. We represent the likelihood of intrusions associated with an m x n interval valued rule matrix that can be obtained from the database with relatively low computational complexity. By grouping nearby patterns with intervals, we may significantly reduce false alarms. The O(n) computational cost of maintaining the rules makes it possible to integrate the IDS with network management systems for almost real-time automatic network control. Our probabilistic approach with the rule matrix model can be further applied to study the pattern evolution of network intrusions.
- R. Bace and P. Mell, "Intrusion Detection Systems," Special Publication on Intrusion Detection Systems from National Institute of Standards and Technology, 2000.Google Scholar
- D. Barbara, N. Wu, and S. Jajodia (Eds.), "Applications of Data Mining in Computer Security," Kluwer Academic Publishers, 2002. Google ScholarDigital Library
- S. Bridges and R. Vaufhn, "Fuzzy Data Mining and Genetic Algorithms Applied to Intrusion Detection," Proceeding of 23rd National Information Security Conference, 2000.Google Scholar
- P. Chen, A. de Korvin, and C. Hu, "Association Analysis with Interval Valued Fuzzy Sets and Body of Evidence," Proceedings of the 2002 IEEE World Congress on Computational Intelligence, pp. 518--523, 2002Google Scholar
- A. de Korvin, C. Hu, and P. Chen, "Generating and Applying Rules for Interval Valued Fuzzy Observations," Lecture Notes in Computer Science, Vol. 3177, pp. 279--284, Springer-Verlag, 2004.Google ScholarCross Ref
- K. Ilgun, R. A. Kemmerer, and P. A. Porras, "State Transition Analysis: A Rule-based Intrusion Detection Approach," IEEE Transactions on Software Engineering, Vol. 21, No. 3, pp. 181--199, March 1995. Google ScholarDigital Library
- K. Julisch, "Clustering Intrusion Detection Alarms to Support Root Cause Analysis," ACM Transactions on Information and System Security, Vol. 6, No. 4, pp. 443--471, November 2003. Google ScholarDigital Library
- S. Kumar and E. Spafford, "A Software Architecture to Support Misuse Intrusion Detection," in 18th National Information Security Conference, pp. 194--204, 1995.Google Scholar
- S. Manganaris, M. Christensen, D. Zerkle, and K. Hermiz, "A Data Mining Analysis of RTID Alarms," Computer Networks, pp. 571--577, 2000. Google ScholarDigital Library
- J. F. Roddick, and M. Spiliopoulou, "A Survey of Temporal Knowledge Discovery Paradigms and Methods," IEEE Transaction on Knowledge and Data Engineering, Vol. 14, No. 4, pp. 750--767, 2002. Google ScholarDigital Library
- A. Seleznyov and S. Puuronen, "Anomaly Intrusion Detection Systems: Handling Temporal Relations between Events," in Recent Advances Intrusion Detection, 1999.Google Scholar
- R. T. Snodgrass, editor. The TSQL2 Temporal Query Language, chapter 10, Kluwer Academic Publishers, 1995. Google ScholarDigital Library
- M. Spiliopoulou, J. F. Roddick, "Higher Order Mining: modeling and Mining the Results of Knowledge Discovery," Proc. Second International Conference on Data Mining Methods and Databases, 2000.Google Scholar
- D. C. Verma, "Simplifying Network Administration Using Policy-based Management," IEEE Network Magazine, Vol. 16, No. 2, pp. 20--26, March 2003. Google ScholarDigital Library
Index Terms
- Enhancing network intrusion detection systems with interval methods
Recommendations
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Random-Forests-Based Network Intrusion Detection Systems
Prevention of security breaches completely using the existing security technologies is unrealistic. As a result, intrusion detection is an important component in network security. However, many current intrusion detection systems (IDSs) are rule-based ...
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Comments