A framework for constructing features and models for intrusion detection systems 论文

2000ACM Transactions on Information and System Security引用 959
Network Security and Intrusion DetectionInternet Traffic Analysis and Secure E-votingAnomaly Detection Techniques and Applications

详细信息

发表期刊/会议
ACM Transactions on Information and System Security
发表日期
2000-11-01
发表年份
2000

关键词

Network Security and Intrusion DetectionInternet Traffic Analysis and Secure E-votingAnomaly Detection Techniques and Applications

摘要

Intrusion detection (ID) is an important component of infrastructure protection mechanisms. Intrusion detection systems (IDSs) need to be accurate, adaptive, and extensible. Given these requirements and the complexities of today's network environments, we need a more systematic and automated IDS development process rather that the pure knowledge encoding and engineering approaches. This article describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Instrusion Detection. This framework uses data mining algorithms to compute activity patterns from system audit data and extracts predictive features from the patterns. It then applies machine learning algorithms to the audit records taht are processed according to the feature definitions to generate intrusion detection rules. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems. We also briefly discuss our experience in converting the detection models produced by off-line data mining programs to real-time modules of existing IDSs.