A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)

摘要: Intrusion detection is an essential component of critical infrastructure protection mechanisms. The traditional pure “knowledge engineering” process building Detection Systems (IDSs) very slow, expensive, and error-prone. Current IDSs thus have limited extensibility in the face changed or upgraded network configurations, poor adaptability new attack methods. This thesis describes a novel framework, MADAM ID, for Mining Audit Data Automated Models Detection. Classification rules are inductively learned from audit records used as intrusion models. A requirement to be effective models that appropriate set features need first constructed included records. key contribution automatic “feature construction”. Using raw data preprocessed into with “intrinsic” (i.e., general purposes) features. mining algorithms then applied compute frequent activity patterns records, which automatically analyzed generate additional purposes. We introduce several extensions, namely, axis attribute(s), reference level-wise approximate mining, relative support, basic association episodes algorithms. extended use characteristics direct efficient computation “relevant” patterns. We develop encoding algorithm so can easily visualized, analyzed, compared. devise constructs temporal statistical according semantics The effectiveness advantages our been objectively evaluated through 1998 DARPA Evaluation program.