W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD Thesis, Computer Science Department, Columbia University, June 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... However using the time stamp to compute the number of packets within the last two seconds can be a crucial piece of information in determining certain types of network attacks[15] Models learned over well computed features are generally far superior to those computed over raw pieces of information[14]. Feature extractors can be seen as data analysis engines by the adaptive model generation system. They retrieve data from the data warehouse and then perform computations on that data. Once these computations are completed the new data is sent back to the warehouse and appended with the new ....

....faster because in many cases JUDGE does not have to evaluate every rule in the rule set. 27 7.4 HAUNT Feature Extraction The HAUNT system uses a feature extractor to discover features that are useful for detecting attacks. The algorithms for performing this feature discovery are described in [14]. The HAUNT system uses feature descriptor in order to de ne the features that it uses for classi cation. These features are de ned using arithmetic and logic expressions to combine primitive features. The logic expressions implemented by this system are SUM, AND, and UNIQUE. These features ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....80.00 U2R 47.06 R2L 66.67 back 100.00 ipsweep land 75.00 nmap neptune 80.52 portsweep 4.81 pod 9.62 satan 0.32 smurf 99.94 teardrop DOS 94.31 PRB 1. 34 : significant or a , 0 (b) The data were then processed into connection records using MADAM ID [9]. A 10 sample was taken which maintained the same distribution of intrusions and normal connections as the original data (this sample is available as kddcup. data.10 from the UCI KDD repository) We used 80 of this sample as training data and left the remaining 20 unaltered to be used as test ....

....Absence of subsequences in the current execution of the same program from the stored sequences constitutes a potential anomaly. Lane and Brodley [8] used a similar approach but they focused on an incremental algorithm that updates the stored sequences and used data from UNIX shell commands. Lee [9], using a rule learning program, generated rules that predict the current system call based on a window of previous system calls. Abnormality is suspected when the predicted system call deviates from the actual system call. Ghosh and Schwartzbard [5] proposed using a neural network to learn a ....

Wenke Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....an IDS. That is, having a set of features whose values in normal audit records differ significantly from the values in intrusion records is essential for having good detection performance. We have developed a set of data mining algorithms for selecting and constructing features from audit data [19]. First, raw (binary) audit data is processed and summarized into discrete records containing a number of basic features such as in the case of network traffic: timestamp, duration, source and destination IP addresses and ports, and error condition flags. Specialized data mining programs [24] are ....

....outlined the breadth of our research efforts to address important and challenging issues of accuracy, efficiency, and usability of real time IDSs. We have implemented feature extraction and construction algorithms for labeled audit data (i.e. when both normal and intrusion data sets are given) [19]. We are implementing algorithms for unlabeled data (which can be purely normal or possibly containing unknown intrusions) We have developed several anomaly detection algorithms. In particular, we have completed the implementation of and extensive experimentation with artificial anomaly ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....intrusion detection models in an effort to automate the process of IDS development and lower its development cost. The framework uses data mining algorithms to compute activity patterns and extract predictive features, and then applies machine learning algorithms to generate detection rules [14, 15]. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems, most of which were knowledge engineered [17] In this paper, we examine the relevant cost factors, cost models, and cost metrics related to IDSs, ....

....to detect extended or coordinated attacks such as slow host or network scans [5] Computation of these features is costly because of their need to store and analyze larger amounts of data. Based on our extensive experience in extracting and constructing predictive features from network audit data [14], we classify features into four relative levels, based on their computational costs: Level 1 features can be computed from the first packet, e.g. the service. Level 2 features can be computed at any point during the life of the connection, e.g. the connection state (SYN WAIT, CONNECTED, ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....of features (and hence the complexities of the model) we can use some statistical feature(s) e.g. within the past n seconds, the percentage of the services that are the same as the current one, and the percentage of those that are different, etc. to approximate the regularity information. In [13], we showed that these temporal and statistical features usually have high information gain, and hence a better model can be built when these features are added to the audit data. 2.5 Information Cost Intuitively, the more information we have, the better the detection performance. However, there ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....intrusion detection models in an effort to automate the process of IDS development and lower its development cost. The framework uses data mining algorithms to compute activity patterns and extract predictive features, and then applies machine learning algorithms to generate detection rules [12, 13]. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems, most of which were knowledge engineered [15] In this paper, we examine the relevant cost factors, cost models, and cost metrics related to IDSs, ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....intrusion detection models in an effort to automate the process of IDS development and lower its development cost. The framework uses data mining algorithms to compute activity patterns and extract predictive features, and then applies machine learning algorithms to generate detection rules [12, 13]. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems, most of which were knowledge engineered [15] In this paper, we examine the relevant cost factors, cost models, and cost metrics related to IDSs, ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....from audit data containing network based denial of service (DoS) attacks suggest that several per host and per service measures should be included. We have developed a framework, MADAM ID (for Mining Audit Data for Automated Models for Intrusion Detection) described in [Lee and Stolfo 1998; Lee et al. 1999a; Lee et al. 1999b; Lee 1999] The main idea is to apply data mining techniques to build intrusion detection models. The main components of the framework include programs for learning classifiers and meta classifiers [Chan and Stolfo 1993] association rules [Agrawal et al. 1993] for link ....

....containing network based denial of service (DoS) attacks suggest that several per host and per service measures should be included. We have developed a framework, MADAM ID (for Mining Audit Data for Automated Models for Intrusion Detection) described in [Lee and Stolfo 1998; Lee et al. 1999a; Lee et al. 1999b; Lee 1999] The main idea is to apply data mining techniques to build intrusion detection models. The main components of the framework include programs for learning classifiers and meta classifiers [Chan and Stolfo 1993] association rules [Agrawal et al. 1993] for link analysis, and frequent ....

[Article contains additional citation context not shown here]

Lee, W. 1999. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. Ph. D. thesis, Columbia University.

....intrusion detection models in an effort to automate the process of IDS development and lower its development cost. The framework uses data mining algorithms to compute activity patterns and extract predictive features, and then it applies machine learning algorithms to generate detection rules [8, 9]. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems, most of which were knowledge engineered [9, 7] In this paper, we report the initial results of our current research in extending our data mining ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....unwanted complexities in the development process of IDSs. We developed a data mining framework for building intrusion detection models. It uses data mining algorithms to compute activity patterns and extract predictive features, and applies machine learning algorithms to generate detection rules [7]. In this paper, we report the initial results of our current research in extending our data mining framework to build cost sensitive models for intrusion detection. We brie y examine the relevant cost factors, models and metrics related to IDSs. We propose a multiple model cost sensitive machine ....

....training data which was acquired from an environment similar to one in which a real time detection tool may be deployed. Our data consists of network connection records processed from raw tcpdump [5] les using MADAM ID (a system for Mining Audit Data for Automated Models for Intrusion Detection) [7]. The rest of the paper is organized as follows: Section 2 examines major cost factors related to IDSs and outlines problems inherent in modeling and measuring the relationships among these factors. Section 3 describes our multiple model approach to reducing operational cost and a MetaCost [3] ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

....more systematic and automated approach for building IDSs. We have developed a set of tools that can be applied to a variety of audit data sources to generate intrusion detection models. We call the collection of these tools MADAM ID (Mining Audit Data for Automated Models for Intrusion Detection) [8, 10]. The central theme of our approach is to apply data mining programs to the extensively gathered audit data to compute models that accurately capture the actual behavior (i.e. patterns) of intrusions and normal activities. This approach significantly reduces the need to manually analyze and ....

....is shown in Table 1. Accordingly, the following features are constructed for SYN flood : a count of the connections to the same destination host in the past 2 seconds, and among these connections, the percentage that are to the same service, and the percentage that have the S0 flag. In prior work [8], we showed that these constructed features have high information gain, and can therefore improve the accuracy of the classification rules. The process of applying MADAM ID to build intrusion models, as shown in Figure 1, involves multiple steps and iterations. For example, poor performance of a ....

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University, June 1999.

No context found.

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD Thesis, Computer Science Department, Columbia University, June 1999.

No context found.

Lee, W.: A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Columbia University (1999).

No context found.

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD Thesis, Computer Science Department, Columbia University, 1999.

No context found.

W. Lee. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Computer Science Department, Columbia University, NY, 1999.

No context found.

Lee, W. (1999). A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. PhD thesis, Computer Science Department, Columbia University.

No context found.

Lee, W., (2000) A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems, PhD Thesis, Dept of Computer Science, Columbia University.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC