W. Lee, S. J. Stolfo and K. W. Mok, "Mining in a data-flow environment: experience in network intrusion detection," in Knowledge Discovery and Data Mining, pp. 114-124, 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....queries. STREAM[BW01] considers the relation of materialized views to continuous queries in the context of selfmaintenance. In our work, we are less concerned with the tradeoff between computation and scratch storage, than with the sharing of storage among different queries. Other recent research[LSM99, GKS01, SH98] has focused on developing algorithms to perform specific functions on sequenced data. Instead, we focus on general Select Project Join (SPJ) views and simple classes of aggregates. The computation of standing queries based on tuplewindows is similar to trigger processing and the incremental ....

LEE, W., STOLFO, S., AND MOK, K. Mining in a Data-flow Environment: Experience in Network Intrusion detection. In SIGKDD (1999), pp. 114124.

....per day) because it is often difficult to select keywords by hand which successfully detect real attacks while not creating false alarms for normal traffic. In addition, these signature based systems must be updated frequently to detect new attacks as they are discovered. Two research systems [5,6] that took part in the 1998 DARPA off line intrusion detection evaluation [7,8] provided good performance for user to root attacks where local users on a UNIX host illegally obtain root level privileges. Their performance was much better than that of an untuned baseline keyword reference system ....

Lee, W., S.J. Stolfo, and K. Mok (1999) "Mining in a Data-flow Environment: Experience in Network Intrusion Detection", Proceedings 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '99), San Diego, CA.

....techniques to performance data in an effort to reduce data volume or to automate tasks for the user. These techniques include covariance analysis, discriminant analysis, principle component analysis, and clustering analysis [3, 19] In the knowledge discovery field, Lee, Stolfo, and Mok [12] have focused techniques for machine learning on traces of Internet network activity to provide automated support for intrusion detection in computer networks. To assist with the analysis of large trace files, numerous researchers have investigated visualization techniques [10, 23] Visualizations ....

W. Lee, S. J.Stolfo, and K. W.Mok, "Mining in a dataflow environment: experience in network intrusion detection," Proc. Fifth ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, 1999, pp. 114-24.

....detect unknown intrusions. However, it also involves major challenges because of the need to acquire a model of the normal use general enough to allow authorized users to work without raising alarms, but specific enough to recognized unauthorized usages [Lane and Brodley, 1997,Ghosh et al. 1999,Lee et al. 1999,Neri, 2000] 1 An extended and revised version of this paper will appear in the Proceedings of ECML2000 Our approach follows the last philosophy for detecting intrusion and we describe here how it is possible to learn a model of normal use of a network from logs of the network activity. A ....

....on the detection performances. As learning methods, we exploited two rule based systems: a heuristic one, RIPPER [Cohen, 1995] and an evolutive one (based on genetic algorithms) REGAL [Giordana and Neri, 1995,Neri and Saitta, 1996] The first system has been selected because of its previous use [Lee et al. 1999]; it will thus act as benchmark. The second system has been selected because we believe that its intrinsically stochastic behavior should allow the acquisition of alternative robust and simpler models [Neri and Saitta, 1996] In the following, a description of the systems REGAL and RIPPER ....

[Article contains additional citation context not shown here]

Lee, W., Stolfo, S., and Mok, K. (1999). Mining in a data-flow environment: experience in network intrusion detection. In Knowledge Discovery and Data Mining KDD'99, pages 114--124. ACM Press.

....reference attributes normally carry information about some subject , and other attributes describe the actions that refer to the same subject . When mining these frequent same subject patterns, we need to filter out the unwanted across subject patterns. We use reference attribute(s) Lee et al. 1999a ] in the frequent episodes algorithm to ensure that, within each episode s minimal occurrences, the records covered by its constituent item sets have the same reference attribute value. Level wise approximate mining We introduce an iterative level wise approximate mining procedure to uncover ....

....from Patterns We study the problem of how to automatically construct temporal and statistical features from a frequent pattern. We develop an algorithm that parses a frequent pattern and uses count, percent, average operators on the occurrences of attribute values to generate features [ Lee et al. 1999b ] Given an intrusion only pattern, this algorithm can capture both the anatomy and invariant behavior of the attack, and produce predictive features that are used to build classification models. Techniques for E#cient Real time Execution of Detection Models We study the problem of how ....

[Article contains additional citation context not shown here]

W. Lee, S. J. Stolfo, and K. W. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99), August 1999.

....detect unknown intrusions. However, it also involves major challenges because of the need to acquire a model of the normal use general enough to allow authorized users to work without raising alarms, but specific enough to recognized unauthorized usages [Lane and Brodley, 1997, Ghosh et al. 1999, Lee et al. 1999, Forrest et al. 1996] Our approach follows the last philosophy for detecting intrusion and we describe here how it is possible to learn a model of normal use of a network from logs of the network activity. A distributed genetic algorithm REGAL [Giordana and Neri, 1995, Neri and Saitta, 1996] ....

....on the detection performances. As learning methods, we exploited two rule based systems: a heuristic one, RIPPER [Cohen, 1995] and an evolutive one (based on genetic algorithms) REGAL [Giordana and Neri, 1995, Neri and Saitta, 1996] The first system has been selected because of its previous use [Lee et al. 1999]; it will thus act as benchmark. The second system has been selected because we believe that its intrinsically stochastic behavior should allow the acquisition of alternative robust and simpler models [Neri and Saitta, 1996] In the following, a description of the system REGAL (Section 2) and of ....

[Article contains additional citation context not shown here]

Lee, W., Stolfo, S., and Mok, K. (1999). Mining in a data-flow environment: experience in network intrusion detection. In Knowledge Discovery and Data Mining KDD'99, pages 114--124. ACM Press.

....starts a little before 12:00 and the end of a rootkit sniffer installation is accomplished at roughly 23:00. 7. Participants and Scoring Six groups participated in the evaluation and submitted systems using a variety of approaches to intrusion detection. Details of these systems are provided in [13 18]. Three systems attempted to detect all four categories of attacks using tcpdump network packet data sometimes supplemented with BSM audit data. One of these three used data mining or pattern classification approaches to develop detectors for old attacks included in the training data [13] The ....

....in [13 18] Three systems attempted to detect all four categories of attacks using tcpdump network packet data sometimes supplemented with BSM audit data. One of these three used data mining or pattern classification approaches to develop detectors for old attacks included in the training data [13]. The other two were expert systems composed of hand crafted signatures and efficient pattern matching algorithms designed to detect old attacks or variants of old attacks [14,15] An additional expert system used handcrafted signatures to find only probe and DoS attacks in tcpdump data [16] Two ....

[Article contains additional citation context not shown here]

W. Lee, S.J. Stolfo, K. Mok, "Mining in a Data-flow Environment: Experience in Network Intrusion Detection", in Proceedings 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '99), San Diego, CA, August 1999, http://www.cs.columbia.edu/~sal/JAM/PROJECT/.

No context found.

W. Lee, S. J. Stolfo, and K. W. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99), August 1999.

....(normal) connections or processes. By first applying feature extraction algorithms, followed by the application of machine learning algorithms (e.g. RIPPER) to learn and combine multiple models for different types of intrusions, remarkably good success has been achieved in de15 tecting intrusions [5]. This work, as well as the results reported in this paper demonstrates convincingly that distributed data mining techniques, that combine multiple models, indeed produces effective fraud and intrusion detectors. Acknowledgments The authors would like to thank the efforts of past and current ....

W. Lee, S. Stolfo, and K. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proc. Fifth Intl. Conf. Knowledge Discovery and Data Mining, 1999. 114-124.

....with service and dst host. For building misuse detection models, we apply the frequent episodes program to both normal connection data and intrusion data, then compare the resulting patterns to find the intrusion only patterns. The details of the pattern comparison algorithm is described in (Lee et al. 1999). Briefly, since the number of patterns may be very large and there are rarely exactly matched patterns from two data sets, this algorithm uses a heuristic, in the form of domain specific order of importance among attributes 6 , and considers two episodes related to two different sets of ....

Lee, W., S. J. Stolfo, and K. W. Mok: 1999, `Mining in a Data-flow Environment: Experience in Network Intrusion Detection'. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99).

....from audit data containing network based denial of service (DoS) attacks suggest that several per host and per service measures should be included. We have developed a framework, MADAM ID (for Mining Audit Data for Automated Models for Intrusion Detection) described in [Lee and Stolfo 1998; Lee et al. 1999a; Lee et al. 1999b; Lee 1999] The main idea is to apply data mining techniques to build intrusion detection models. The main components of the framework include programs for learning classifiers and meta classifiers [Chan and Stolfo 1993] association rules [Agrawal et al. 1993] for link ....

....containing network based denial of service (DoS) attacks suggest that several per host and per service measures should be included. We have developed a framework, MADAM ID (for Mining Audit Data for Automated Models for Intrusion Detection) described in [Lee and Stolfo 1998; Lee et al. 1999a; Lee et al. 1999b; Lee 1999] The main idea is to apply data mining techniques to build intrusion detection models. The main components of the framework include programs for learning classifiers and meta classifiers [Chan and Stolfo 1993] association rules [Agrawal et al. 1993] for link analysis, and frequent ....

[Article contains additional citation context not shown here]

Lee, W., Stolfo, S. J., and Mok, K. W. 1999b. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99) (August 1999).

....with a higher cost. In the credit card case we simply ignored this cost. This important source of cost however is a major topic of research for IDS, i.e. the computational costs for rapid detection. Our work in this area is new and ongoing. Details of our initial thoughts here can be found in [13]. 5.4 Cost Model for IDS We just described the three different types of cost in IDS: damage cost, challenge cost, and operational cost. Our cost model for IDS considers these three types of cost. Similar to the credit card case, the IDS cost model depends on the outcomes of the IDS predictions: ....

W. Lee, S. J. Stolfo, and K. W. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99), August 1999.

....is new and ongoing. Details of our initial 11 Cost Type Credit Card Fraud Network Intrusion Damage tranamt(t) DCost(service,attack) Challenge overhead overhead Operational subsumed in overhead OpCost Table 7. Cost types in credit card fraud and network intrusion thoughts here can be found in [13]. 5.4 Cost Model for IDS We just described the three different types of cost in IDS: damage cost, challenge cost, and operational cost. Our cost model for IDS considers these three types of cost. Similar to the credit card case, the IDS cost model depends on the outcomes of the IDS predictions: ....

W. Lee, S. J. Stolfo, and K. W. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99), August 1999.

No context found.

W. Lee, S. J. Stolfo and K. W. Mok, "Mining in a data-flow environment: experience in network intrusion detection," in Knowledge Discovery and Data Mining, pp. 114-124, 1999.

No context found.

W. Lee, S. Stolfo, and K. Mok. Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In Proceedings of the 5

No context found.

Lee W, Stolfo S, Mok K (1999) Mining in a data-flow environment: experience in network intrusion detection. In: Proceedings of the 5th ACM SIGKDD international conference on knowledge discovery and data mining, San Diego, 15--18August 1999, pp 114--124

No context found.

W. Lee, S. Stolfo, and K. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In S. Chaudhuri and D. Madigan, editors, Proc. of the 5th Int'l Conf. on Knowledge Discovery and Data Mining, pages 114--124, 1999.

No context found.

W. Lee, S. Stolfo, and K. Mok. Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In Proceedings of the 5 ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '99), San Diego, CA, August 1999.

No context found.

W. Lee, S. Stolfo, and K. Mok. Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In Proceedings of the 5 ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '99), San Diego, CA, August 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC