Efficient Mining and Detection of Sequential Intrusion Patterns for Network Intrusion Detection Systems
In recent years, pervasive computing infrastructures have greatly improved the interaction between human and system. As we put more reliance on these computing infrastructures, we also face threats of network intrusion and/or any new forms of undesirable IT-based activities. Hence, network security has become an extremely important issue, which is closely connected with homeland security, business transactions, and people's daily life. Accurate and efficient intrusion detection technologies are required to safeguard the network systems and the critical information transmitted in the network systems. In this chapter, a novel network intrusion detection framework for mining and detecting sequential intrusion patterns is proposed. The proposed framework consists of a Collateral Representative Subspace Projection Modeling (C-RSPM) component for supervised classification, and an inter-transactional association rule mining method based on Layer Divided Modeling (LDM) for temporal pattern analysis. Experiments on the KDD99 data set and the traffic data set generated by a private LAN testbed show promising results with high detection rates, low processing time, and low false alarm rates in mining and detecting sequential intrusion detections.
KeywordsAssociation Rule Intrusion Detection Mobile Agent Intrusion Detection System Frequent Itemsets
Unable to display preview. Download preview PDF.
- Agrawal R, Swami A (1993) Mining association rules between sets of items in large data-bases. In: Proceedings of the ACM SIGMOD conference on management of data: 207-216.Google Scholar
- Alam M.S, Vuong S.T (2007) APHIDS++: A mobile agent based intrusion detection system. In: Proceedings of the 2nd international conference on communication systems software and middleware: 1-6. doi: 10.1109/COMSW A.2007.382483.Google Scholar
- Anderson D, Frivold T, Anderson A (1995) Next-generation intrusion detection expert system (NIDES): A summary. In: SRI international technical report 95: 28-42. Menlo Park, CA.Google Scholar
- Basicevic F, Popovic M, Kovacevic V (2005) The use of distributed network-based IDS systems in detection of evasion attacks. In: Proceedings of the advanced industrial conference on telecommunications/service assurance with partial and intermittent resources conference/e-learning on telecommunications workshop. AICT/SAPIR/ELETE: 78-82.Google Scholar
- Boonjing V, Songram P (2007) Efficient algorithms for mining closed multidimensional sequential patterns. In: Proceedings of the 4th international conference on fuzzy systems and knowledge discovery 2: 749-753.Google Scholar
- Ertoz L, Eilertson E, Lazarevic A, Tan P, Srevastava J, Kumar V, Dokas P (2004) The MINDS — Minnesota intrusion detection system. Next generation data mining. MIT Press, Cambridge, MA.Google Scholar
- Esparza O, Soriano M, Munoz J.L, Forne J (2003) A protocol for detecting malicious hosts based on limiting the execution time of mobile agents. In: Proceedings of the 8th IEEE international symposium on computers and communication: 251-256.Google Scholar
- Han B (2003) Support vector machines. http://www.ist.temple.edu/∼vucetic/cis526fall2003/lecture8.doc.
- Han J, Gong W, Yin Y (1998) Mining segment-wise periodic patterns in time-related databases. In: Proceedings of the international conference on knowledge discovery and data mining: 214-218.Google Scholar
- Han J, Lu H, Feng L (1998) Stock movement prediction and n-dimensional intertransaction association rules. In: Proceedings of the 1998 SIGMOD workshop research issues on data mining and knowledge discovery 12: 1-7.Google Scholar
- Han J, Pei J, Yin Y (2000) Mining frequent patterns without candidate generation. In: Proceedings of the ACM SIGMOD international conference on management of data (SIGMOD'00): 1-12.Google Scholar
- Huang K, Chang C, Lin K (2004) Prowl: An efficient frequent continuity mining algorithm on event sequences. In: Proceedings of the 6th international conference on data warehousing and knowledge discovery (DaWak'04), Lecture Notes in Computer Science 3181: 351-360.Google Scholar
- Kannadiga P, Zulkernine M (2005) DIDMA: A distributed intrusion detection system using mobile agents. In: Proceedings of the 6th international conference on software engineering, artificial intelligence, networking and parallel and distributed computing. 238-245.Google Scholar
- KDD (1999) KDD cup 1999 data. http://kdd.ics.uci.edu/databases/kddcup99/.
- Labib K, Vemuri V (2004) Detecting and visualizing Denial-of-Service and network probe attacks using principal component analysis. In: The 3rd conference on security and network architectures (SAR'04). La Londe, France.Google Scholar
- Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the third SIAM conference on data mining. San Francisco, CA.Google Scholar
- Ozden B, Ramaswamy S, Silberschatz A (1998) Cyclic association rules. In: Proceedings of the 14th international conference on data engineering: 412-421.Google Scholar
- Paek S, Oh Y, Yun J, Lee D (2006) The architecture of host-based intrusion detection model generation system for the frequency per system call. In: Proceedings of the international conference on hybrid information technology (ICHIT'06) 2: 277-283.Google Scholar
- Quinlan J (1993) C4.5: Programs for machine learning. Morgan Kaufmann, San Fracisco, CA.Google Scholar
- Quirino T, Xie Z, Shyu M, Chen S, Chang L (2006) Collateral representative subspace projection modeling for supervised classification. In: Proceedings of the 18th IEEE international conference on tools with artificial intelligence (ICTAI'06): 98-105.Google Scholar
- Ramakrishnan V, Kumar R.A, John S (2007) Intrusion detection using protocol-based non-conformance to trusted behaviors. In: Proceedings of navigation and surveillance conference (ICNS '07): 1-12.Google Scholar
- Ray P (2007) Host based intrusion detection architecture for mobile ad hoc networks. In: Proceedings of the 9th international conference on advanced communication technology 3: 1942-1946.Google Scholar
- Snapp S, Bretano J, Dias G, Goan T, Hebrlein L, Ho C, Levitt K, Mukherjee B, Smaha S,Grance T, Teal D, Mansur D (1991) DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype. In: Proceedings of the 14th national computer science conference. Washington D.C.: 167-176.Google Scholar
- TCPTRACE (2008) Available at http://www.tcptrace.org/.
- Tsai M, Lin S, Tseng S (2003) Protocol based foresight anomaly intrusion detection system. In: Proceedings of IEEE the 37th annual 2003 international carnahan conference: 493-500.Google Scholar
- Vaidehi K, Ramamurthy B (2004) Distributed hybrid agent based intrusion detection and real time response system. In: Proceedings of the 1st international conference on broadband networks (BROADNETS'04): 739-741.Google Scholar
- Verwored T, Hunt R (2002) Intrusion detection techniques and approaches. ComputComm 25: 1356-1365.Google Scholar
- Wang Y, Hou Z, Zhou X (2006) An incremental and hash-based algorithm for mining frequent episodes. In: Proceedings of the international conference on computational intelligence and security 1: 832-835.Google Scholar
- WinDump: tcpdump for Windows (2008) Available at http://www.winpcap.org/windump/default.htm.
- Xie Z, Quirino T, Shyu M, Chen S, Chang L (2006) UNPCC: A novel unsupervised classification scheme for network intrusion detection. In: Proceedings of the 18th IEEE international conference on tools with artificial intelligence (ICTAI'06): 743-750. Washington D.C., USA.Google Scholar
- Zhang S, Zhang J, Zhu X, Huang Z (2006) Identifying follow-correlation itemset-pairs. In: Proceedings of the 6th IEEE international conference on data mining (ICDM06): 765-774.Google Scholar
- Gao F, Sun J, Wei Z (2003) The prediction role of hidden Markov model in intrusion detection. In: Proceedings of Canadian conference on electrical and computer engineering 2: 893-896.Google Scholar
- Yin Q, Zhang R, Li X (2004) A new intrusion detection method based on linear prediction. In: Proceedings of the 3rd international conference on information security (InfoSecu04): 160-165.Google Scholar