Hong Han
Abstract
In Network-based Intrusion Detection, signatures discovery is an important issue, since the performance of an intrusion detection system heavily depends on accuracy and abundance of signatures. In most cases, we have to find these signatures manually. This is a time-consuming and error-prone work. Some papers introduce data mining into Intrusion Detection System. However, there are some drawbacks in these schemes. We present a data mining based approach to supporting signature discovery in network-based Intrusion Detection System. It has people find signatures of an intrusion easily. The main idea is that: First, Signature Discovery System (SDS) tries to find the most possible signatures that occur very frequently in the communication monitored. Second, SDS will find the relationships between these candidate signatures and construct rules based on these relationships found. Finally, SDS gives two kinds of hints: one is the signatures whose frequency of occurrence is greater than a threshold; the other is a set of rules composed of a set of signatures that are created by SDS in the second step. An experimental system called SigSniffer has been implemented to test the feasibility of the proposed approach.
- Anderson, J. P. 1980. Computer security threat monitoring and surveillance. Tech. Rep. Anderson Co. Fort Washington, PA.Google Scholar
- Julia Allen. 2000. State of the Practice of Intrusion Detection Technologies, page 38, http://www.sei.cmu.edu/pub/documents/99.reports/pdf/99tr028.pdf.Google Scholar
- Paxson, Vern. Bro: A System for Detecting Network Intruders in Real-Time, Proceedings of 7th USENIX Security Symposium. San Antonio, TX, January 1998 {online}. http://www.aciri.org/vern/papers.html Google ScholarDigital Library
- Van Ryan, Jane. SAIC's Center for Information Security Technology Releases CMDS Verson 3.5 {online}. http://www.saic.com/news/may98/news05-15-98.html (1998).Google Scholar
- Cisco. NetRanger {online}. URL: http://www.cisco.com/warp/public/778/security/netranger/ (1999).Google Scholar
- Marty Roesch. Snort --- Lightweight Intrusion Detection for Networks. http://www.snort.org/documentation.html.Google Scholar
- Wenke Lee. Data Mining Approaches for Intrusion Detection. 7th USENIX Security Symposium, San Antonio, Texas. Google ScholarDigital Library
- Eric Bloedorn, Alan D. Data Mining for Network Intrusion Detection: How to Get Started. http://www.mitre.org/support/papers/tech_papers_01/bloedorn_datamining/bloedorn_datamining.pdf.Google Scholar
- R. Agrawal and R. Srikant, Fast Algorithms for mining association rules,Proc. Of 20th VLDB Conference, 1994. Google ScholarDigital Library
Index Terms
- Data mining aided signature discovery in network-based intrusion detection system
Recommendations
Building intrusion pattern miner for Snort network intrusion detection system
In this paper, we enhance the functionalities of Snort network-based intrusion detection system to automatically generate patterns of misuse from attack data, and the ability of detecting sequential intrusion behaviors. To that, we implement an ...
An Adaptive Rule-Based Intrusion Alert Correlation Detection Method
ICNDC '10: Proceedings of the 2010 First International Conference on Networking and Distributed ComputingIntrusion detection system (IDS) is a security layer that is used to discover ongoing intrusive attacks and anomaly activities in information systems and is usually working in a dynamically changing environment. Although increasing IDSs are developed in ...
Agent-oriented network intrusion detection system using data mining approaches
Most of the existing commercial Network Intrusion Detection System (NIDS) products are signature-based but not adaptive. In this paper, an adaptive NIDS using data mining technology is developed. Data mining approaches are used to accurately capture the ...
Comments