Advertisement

Algorithms for Mining System Audit Data

  • Wenke Lee
  • Salvatore J. Stolfo
  • Kui W. Mok
Part of the Studies in Fuzziness and Soft Computing book series (STUDFUZZ, volume 95)

Abstract

We describe our research in applying data mining techniques to construct intrusion detection models. The key ideas are to mine system audit data for consistent and useful patterns of program and user behavior, and use the set of relevant system features presented in the patterns to compute classifiers that can recognize anomalies and known intrusions. Our past experiments showed that classification rules can be used to detect intrusions, provided that sufficient audit data is available for training and the right set of system features are selected. We use the association rules and frequent episodes computed from audit data as the basis for guiding the audit data gathering and feature selection processes. In order to compute only the relevant patterns, we consider the “order of importance” and “reference” relations among the attributes of data, and modify these two basic algorithms accordingly to use axis attribute(s) and reference attribute(s) as forms of item constraints in the data mining process. We also use an iterative level-wise approximate mining procedure for uncovering the low frequency but important patterns. We report our experiments in using these algorithms on real-world audit data.

Keywords

Association Rule Intrusion Detection Intrusion Detection System Frequent Itemsets Frequent Episode 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agrawal R., Imielinski T., Swami A. (1993) Mining Association Rules Between Sets of Items in Large Databases. In: Proceedings of the ACM SIGMOD Conference on Management of Data, 207 - 216Google Scholar
  2. 2.
    Agrawal R., Srikant R. (1994) Fast Algorithms for mining Association Rules. In: Proceedings of the 20th VLDB ConferenceGoogle Scholar
  3. 3.
    Agrawal R., Srikant R. (1995) Mining Sequential Patterns. In: Proceedings of the 11th International Conference on Data EngineeringGoogle Scholar
  4. 4.
    Bellovin S.M. (1989) Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, 19 (2): 32 - 48CrossRefGoogle Scholar
  5. 5.
    Chan P.K., Stolfo S.J. (1993) Toward parallel and distributed learning by meta-learning. In: AAAI Workshop in Knowledge Discovery in Databases, 227 - 240Google Scholar
  6. 6.
    Cohen W.W. (1995) Fast Effective Rule Induction. In: Machine Learning: the 12th International ConferenceGoogle Scholar
  7. 7.
    Fawcett T., Provost F. (1996) Combining Data Mining and Machine Learning for Effective User Profiling. In: Proceedings of the 2nd International Conference on Knowledge Discovery and Data Mining, 8-13Google Scholar
  8. 8.
    Grampp F.T., Morris R.H. (1984) Unix System Security. ATandT Bell Laboratories Technical Journal, 63 (8): 1649 - 1672Google Scholar
  9. 9.
    Han J., Fu Y. (1995) Discovery of Multiple-level Association Rules from Large Databases. In: Proceedings of the 21th VLDB ConferenceGoogle Scholar
  10. 10.
    Ilgun K., Kemmerer R.A., Porras P.A. (1995) State Transition Analysis: A Rule-based Intrusion Detection Approach. IEEE Transactions on Software Engineering, 21 (3): 181 - 199CrossRefGoogle Scholar
  11. 11.
    Jacobson V., Leres C., McCanne S. (1989) tcpdump Available via anonymous ftp to ftp.ee.lbl.govGoogle Scholar
  12. 12.
    Klemettinen M., Mannila H., Ronkainen P., Toivonen H., Verkamo A.I. (1994) Finding Interesting Rules from Large Sets of Discovered Association Rules. In: Proceedings of the 3rd International Conference on Information and Knowledge Management (CIKM’94), 401–407Google Scholar
  13. 13.
    Lee W., Stolfo S.J. (1998) Data Mining Approaches for Intrusion Detection. In: Proceedings of the 7th USENIX Security Symposium, 79-93Google Scholar
  14. 14.
    Lee W., Stolfo S.J., Mok K.W. (1998) Adaptive Intrusion Detection: a Data Mining Approach. Artificial Intelligence Review (to appear)Google Scholar
  15. 15.
    Lee W., Stolfo S.J., Mok K.W. (1999) Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD-99), 114-124CrossRefGoogle Scholar
  16. 16.
    Lent B., Swami A., Widom J. (1997) Clustering Association Rules. In: Proceedings of the 13th International Conference on Data EngineeringGoogle Scholar
  17. 17.
    Lunt T., Tamaru A., Gilham F., Jagannathan R., Neumann P., Javitz H., Valdes A., Garvey T. (1992) A Real-time Intrusion Detection Expert System (IDES) - Final Technical Report. Technical Report, Computer Science Laboratory, SRI International, Menlo Park, CaliforniaGoogle Scholar
  18. 18.
    Mannila H., Toivonen H. (1996) Discovering Generalized Episodes Using Minimal Occurrences. In: Proceedings of the 2nd International Conference on Knowledge Discovery in Databases and Data Mining, 146-151Google Scholar
  19. 19.
    Mannila H., Toivonen H., Verkamo A.I. Discovering Frequent Episodes in Sequences. In: Proceedings of the 1st International Conference on Knowledge Discovery in Databases and Data MiningGoogle Scholar
  20. 20.
    McClure S., Scambray J., Broderick J. (1998) Test Center Comparison: Network Intrusion-detection Solutions. INFOWORLD, May 4, 1998Google Scholar
  21. 21.
    Padmanabhan B., Tuzhilin A. (1998) A Belief-driven Method for Discovering Unexpected Patterns. In: Proceedings of the 4th International Conference on Knowledge Discovery and Data Mining, 94-100Google Scholar
  22. 22.
    Srikant R., Vu Q., Agrawal R. (1997) Mining Association Rules with Item Constraints. In: Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, 67-73Google Scholar
  23. 23.
    Stolfo S.J., Prodromidis A.L., Tselepis S., Lee W., Fan D.W., Chan P.K. (1997) JAM: Java agents for Meta-learning Over Distributed Databases. In: Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining, 74-81Google Scholar
  24. 24.
    Utgoff P.E., Berkman N.C., Clouse J.A. (1997) Decision Tree Induction Based on Efficient Tree Restructuring. Machine Learning, 29: 5 - 44MATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Wenke Lee
    • 1
  • Salvatore J. Stolfo
    • 2
  • Kui W. Mok
    • 3
  1. 1.Department of Computer ScienceNorth Carolina State UniversityRaleighUSA
  2. 2.Department of Computer ScienceColumbia UniversityNew YorkUSA
  3. 3.Morgan Stanley Dean Witter & Co.New YorkUSA

Personalised recommendations