Abstract
Intrusion detection systems have traditionally been based on the characterization of an attack and the tracking of the activity on the system to see if it matches that characterization. Recently, new intrusion detection systems based on data mining are making their appearance in the field. This paper describes the design and experiences with the ADAM (Audit Data Analysis and Mining) system, which we use as a testbed to study how useful data mining techniques can be in intrusion detection.
- R. Agrawal, T. Imielinski, , and A. Swami. Mining association rules between sets of items in large databases. In Proc. of the ACM SIGMOD Conference on Management of Data, Washington D.C., May 1993. Google ScholarDigital Library
- D. Anderson and T. Frivold and A. Valdes. NIDES: A Summary. In http://www.sdl.sri.com/nides/index5.htmlGoogle Scholar
- D. Anderson and T. Lunt and H. Javitz and A. Tamaru and A. Valdes. Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES). Technical Report, SRI-CSL-95-06, Computer Science Laboratory, SRI International, May 1995.Google Scholar
- D. Barbará and J. Couto and S. Jajodia and N. Wu. ADAM: Detecting Intrusions by Data Mining. Proceedings of the IEEE SMC Information Assurance Workshop, West Point, NY, 2001.Google Scholar
- D. Barbará and N. Wu and S. Jajodia. Detecting Novel Network Intrusions Using Bayes Estimators. Proceedings of the First SIAM International Conference on Data Mining, April 2001, Chicago, USA.Google ScholarCross Ref
- V. Barnett and T. Lewis. Outliers in Statistical Data. 3rd Edition. Wiley, 1994.Google Scholar
- Y.M.M. Bishop and S.E. Fienberg. Discrete Multivariate Analysis: Theory and Practice. The MIT Press, 1975.Google Scholar
- W.W. Cohen. Fast Effective Rule Induction. In Proceedings of the 12th International Conference on Machine Learning, Lake Taho, CA, 1995.Google ScholarCross Ref
- D.E. Denning. An Intrusion Detection Model. In IEEE Transactions on Software Engineering, February 1997, pp. 222-228. Google ScholarDigital Library
- U.M. Fayyad, G. Piatesky-Shapiro, P. Smyth, and R. Uthurusamy. Advances in Knowledge Discovery and Data Mining. AIII/MIT Press, 1996. Google ScholarDigital Library
- General Accounting Office. Information Security: Computer Attacks at Department of Defense Pose Increasing Risks. GAO/AIMD-96-84, May, 1996.Google Scholar
- K. Ilgun. USTAT: A Real-Time Intrusion Detection System for UNIX. Master Thesis, University of California, Santa Barbara, November 1992.Google Scholar
- H.S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector. In http://www.sdl.sri.com/nides/index5.htmlGoogle Scholar
- W. Lee and S. Stolfo. Data Mining Approaches for Intrusion Detection. In Proceedings of the 7th USENIX Security Symposium, 1998. Google ScholarDigital Library
- W. Lee and S.Stolfo and K. Mok. A Data Mining Framework for Building Intrusion Detection Models. In Proceedings of the IEEE Symposium on Security and Privacy, 1999.Google Scholar
- W. Lee and S.J. Stolfo and K. Mok. Mining Audit Data to Build Intrusion Detection Models. In Proceedings of the International Conference on Knowledge and Data Mining, August 1998.Google Scholar
- U. Lindqvist, P.A. Porras. Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy. pp. 146-161.Google Scholar
- T.F. Lunt and R Jagannathan. A Prototype Real-Time Intrusion-Detection Expert System. In Proceedings of the IEEE Symposium on Security and Privacy, 1988, pp. 18-21.Google Scholar
- MIT Lincoln Laboratories DARPA Intrusion Evaluation Detection. In http://www.ll.mit.edu/IST/ideval/Google Scholar
- R. Mukkamala and J. Gagnon and S. Jajodia. Integrating Data Mining Techniques with Intrusion Detection. In Proceedings of the XIII Annual IFIP WG 11.3 Working Conference On Database Security, Seattle, WA, July 1999. Google ScholarDigital Library
- P.A. Porras. STAT: A State Transition Analysis for Intrusion Detection. Master Thesis, Computer Science Department, University of California, Santa Barbara, 1992.Google Scholar
- P.A. Porras and P.G. Neumann EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the National Information Systems Security Conference, 1997, pp. 353-365.Google Scholar
- I. Sager et al. Cyber Crime. In Business Week, February 21, 2000.Google Scholar
- S. Smaha. Haystack audit trail analysis system. Status Report HS-STAT.TXT Haystack Laboratories, Colorado, Aug., 1990.Google Scholar
- H.L. Van Trees. Detection, Estimation, and Modulation Theory, Radar-Sonar Signal Processing and Gaussian Signals in Noise. John Wiley & Sons, 2001. Google ScholarDigital Library
- G. Vigna and R. Kemmerer. NetStat: A Network-Based Intrusion Detection Approach. In Proceedings of the 14t Annual Information Theory: 50 Years of Discovery Computer Security Application Conference, Dec. 1998. Google ScholarDigital Library
- I.H. Witten and E. Frank. Data Mining: Practical Machine Learning Tools and Techniques with Java Implementations. Morgan Kaufmann, 2000. Google ScholarDigital Library
Index Terms
- ADAM: a testbed for exploring the use of data mining in intrusion detection
Recommendations
Identification of adverse disease agents and risk analysis using frequent pattern mining
Highlights- An improved algorithm is proposed to construct FP-tree from transactional datasets.
AbstractLife-threatening illnesses such as cancer, cirrhosis of the liver, and hepatitis have become crucial problems for humanity. The risk of mortality can be deflated by early detection of symptoms and providing the best possible diagnosis. ...
Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsAdvanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) ...
Disguised executable files in spear-phishing emails: detecting the point of entry in advanced persistent threat
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsIn recent years, cyber attacks have caused substantial financial losses and been able to stop fundamental public services. Among the serious attacks, Advanced Persistent Threat (APT) has emerged as a big challenge to the cyber security hitting selected ...
Comments