Citation Context

...e needed for feature selection and audit data gathering. We then discuss how to exploit the schema level information (i.e., attribute definitions) of connection records so that the association rules (=-=Agrawal et al., 1993-=-) and frequent episodes (Mannila et al., 1995) algorithms can be directed to compute relevant patterns from audit data efficiently. We report in detail our various experiments on using these patterns ...

Citation Context

...frequent episode algorithm finds patterns in a single sequence of event stream data. The problem of finding frequent sequential patterns that appear in many different datasequences was introduced in (=-=Agrawal and Srikant, 1995-=-). This related algorithm is not used in our study since the frequent network or system activity patterns can only be found in the single audit data stream from the network or the operating system. Ou...

Citation Context

...cutive system calls. The 11th system call of each record is the class label (i.e., the target of the learning task), and the first 10 system calls are the positional features (attributes) 3 . RIPPER (=-=Cohen, 1995-=-), a classification rule learner that computes the most distinguishing and concise feature value tests for each class label, was then applied to the data. The resultant rule set, consisting of 252 rul...

Citation Context

... Mexico, system call data of hundreds of normal sendmail runs and a dozen different simulated attacks. Based on the findings that the short sequences of system calls of a program are very consistent (=-=Forrest et al., 1996-=-), we pre-processed the data by using a length 11 sliding window to scan the system call sequence and create a list of records, each of which has 11 consecutive system calls. The 11th system call of e...

Citation Context

...r services such as smtp and login. It is therefore imperative to include these high frequency services when presenting episode rules about auth. Our approach here is different from the algorithms in (=-=Han and Fu, 1995-=-) since we do not have and can not assume multiple concept levels, rather, we deal with multiple frequency levels of a single concept, e.g., the network service. framework.tex; 11/12/2000; 14:59; p.17...

Citation Context

...s the evidence (e.g., damage) left behind by intrusions can be represented by a number of general pattern matching models. For example, NIDES (Lunt, 1993) uses rules to describe attack actions, STAT (=-=Ilgun et al., 1995-=-) uses state transition diagrams to model general states of the system and access control violations, and IDIOT (Kumar and Spafford, 1995) uses Colored Petri nets to represent intrusion signatures as ...

Citation Context

... are always exploitable weaknesses in the systems due to design and programming errors. For example, there are known design flaws in TCP/IP protocols and Unix systems that have led to security holes (=-=Bellovin, 1989; Grampp a-=-nd Morris, 1984); and after it was first reported many years ago, exploitable "buffer overflow" bugs still exist in some recent system software due to programming errors. The policies that b...

Citation Context

... bytes, and the normal status (i.e., f lag=SF) of the connection. In (Klemettinen et al., 1994), rule templates specifying the allowable attribute values are used to postprocess discovered rules. In (=-=Srikant et al., 1997-=-), boolean expressions over the attribute values are used as item constraints during rule discovery. A drawback of these approaches is that one has to know a priori what rules and patterns are interes...

Citation Context

...sed in the machine learning literature, can not be directly applied here since prior work typically does not consider sequential correlation of features across record boundaries. Fawcett and Provost (=-=Fawcett and Provost, 1997) presente-=-d some very interesting ideas on automatic selection of features for a cellular fraud detector. Their method is very effective in detecting "superimposition fraud" in which fraudulent activi...

Citation Context

...ng algorithm can then be applied to the meta-level records to produce the combined detection model. We have previously performed a number of meta-learning experiments for credit card fraud detection (=-=Stolfo et al., 1997-=-). We next describe similar experiments in intrusion detection. framework.tex; 11/12/2000; 14:59; p.33 34 Lee and Stolfo and Mok Table V. Meta-level Connection Records old_model_prediction new_model_p...

Citation Context

...can not exceed the size of the database, this implementation works well in this particular application domain. The problem of finding frequent episodes based on minimal occurrences was introduced in (=-=Mannila and Toivonen, 1996-=-). Briefly, given an event database D where each transaction is associated with a timestamp, an interval [t 1 ; t 2 ] is the sequence of transactions that starts from timestamp t 1 and ends at t 2 . T...

Citation Context

...heir RHSs can be combined and LHSs can also be combined; and 2) the support values and the con f idence values are close, i.e., within an e. The concept of combining here is similar to clustering in (=-=Lent et al., 1997) in that we also co-=-mbine rules that are "similar" or "adjacent". To simplify our discussion, consider combining the LHSs and assume that the LHS of r 1 has just one itemset, (ax 1 = vx 1 ; a 1 = v 1 ...

Citation Context

...tion records extracted from the raw tcpdump output, and the Web site visit records processed using Web site logs. We assume that audit data records are timestamped and hence ordered. As described in (=-=Lee et al., 1998), the mai-=-n challenge in developing these data mining algorithms is to provide support mechanisms for domain knowledge so that "useful" patterns are computed. We next describe these basic data mining ...

Citation Context

...s and criminals. Therefore, we need to find the best ways possible to protect our systems. The security of a computer system is compromised when an intrusion takes place. An intrusion can be defined (=-=Heady et al., 1990) as &quot-=-;any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource", for example, illegally gaining superuser privileges, attacking and rendering a system...

Citation Context

...oping a framework, first described in (Lee and Stolfo, 1998), of applying data mining techniques to build intrusion detection models. This framework consists of classification and metaclassification (=-=Chan and Stolfo, 1993-=-), association rules and frequent episodes programs, as well as a support environment that enables system builders to interactively and iteratively drive the process of constructing and evaluating det...

Citation Context

...ple, NIDES (Lunt, 1993) uses rules to describe attack actions, STAT (Ilgun et al., 1995) uses state transition diagrams to model general states of the system and access control violations, and IDIOT (=-=Kumar and Spafford, 1995-=-) uses Colored Petri nets to represent intrusion signatures as sequences of events on the target system. The key advantage of misuse detection systems is that once the patterns of known intrusions are...

Citation Context

...on generally refers to "outsider attacks". We make no such distinction here. framework.tex; 11/12/2000; 14:59; p.3 4 Lee and Stolfo and Mok 2.1. ANOMALY DETECTION Anomaly detection, for exam=-=ple IDES (Lunt et al., 1992-=-), tries to determine whether deviation from an established normal behavior profile can be flagged as an intrusion. A profile typically consists of a number of statistical measures on system activitie...

Citation Context

...conditions that compromise a system's security, as well as the evidence (e.g., damage) left behind by intrusions can be represented by a number of general pattern matching models. For example, NIDES (=-=Lunt, 1993-=-) uses rules to describe attack actions, STAT (Ilgun et al., 1995) uses state transition diagrams to model general states of the system and access control violations, and IDIOT (Kumar and Spafford, 19...

Citation Context

... this paper, we use attributes in the context of mining frequent patterns, and features in the context of building classifiers. framework.tex; 11/12/2000; 14:59; p.7 8 Lee and Stolfo and Mok tcpdump (=-=Jacobson et al., 1989-=-), can capture traffic data for analysis and monitoring. We obtained a set of tcpdump data on network traffic, available via http://iris.cs.uml.edu:8080/network.html, that is part of an Information Ex...

Citation Context

...oitable weaknesses in the systems due to design and programming errors. For example, there are known design flaws in TCP/IP protocols and Unix systems that have led to security holes (Bellovin, 1989; =-=Grampp and Morris, 1984); and aft-=-er it was first reported many years ago, exploitable "buffer overflow" bugs still exist in some recent system software due to programming errors. The policies that balance convenience versus...

Citation Context

...ments on a set of network intrusion data from InfoWorld, which contains attacks of the "InfoWorld Security Suite 16" that was used to evaluate several leading commercial intrusion detection =-=products (McClure et al., 1998-=-). We hereafter refer this dataset as the IWSS16 dataset. We were given two traces of tcpdump data. One contains 4 hours of normal network traffic, and the other contains 2 hours of network traffic wh...