Information Technology Reference
In-Depth Information
two main sources, network packet streams and host log files. Once the infor-
mation is collected, the detection algorithm starts looking for any evidence for
intrusions existence.
There are two general methodologies of detection used by IDSs:
misuse
and
anomaly
detection [2,3].
Misuse
detection systems such as STAT [4] look for a
known malicious behavior or signature, once it is detected an alarm is raised
for further actions. While this type is useful for detecting known attacks, it
can't detect novel attacks, and its signatures database needs to be upgraded
frequently. The main feature of this model is its low false alarm rate.
Anomaly
detection models (e.g. IDES [5]) compare reference model of normal behavior
with the suspicious activities and flag deviations as anomalous and potentially
intrusive. Unlike
misuse
detection,
anomaly
detection systems identify unknown
intrusions. The most apparent drawback of these systems is the high rate of false
alarms. The two detection approaches can be combined to detect attacks more
eciently. There are various types of detection models (e.g. [6], [7], and [8]).
Among these techniques, ADAM: Audit data analysis and mining, association
rules data mining [9,10], and classification data mining [11,12,13] are the main
used algorithms.
Following this introduction, we provide a background on the related work,
and a briefing of our contribution. Section 2 then presents the proposed algo-
rithm. In Section 3, the experiments are explained, including: data set model,
details of learning and detection phases. Finally, Section 4 summarizes this pa-
per's main conclusions.
1.1
Related Work
There has been extensive considerable work in representing and recognizing nor-
mal or malicious activities. Henry et al. in [14] proposed an approach that uses a
time-based inductive machine (TIM) to generate rule-based sequential patterns
that characterize the behavior of a user. This approach, to some extent, is sim-
ilar to our approach in that both can be used to offer a simplified view of a set
of complex data. There are, however, some fundamental differences between the
two approaches: first, Henry's approach conducts a heuristic search to find the
rules that satisfy certain given criteria, while our approach is mainly used for the
evaluation of generated patterns. Second, Henry's model uses only continuous
patterns, while our model combines both continuous and discontinuous patterns.
Third, in the case of using our model as
Anomaly
detection, deviation from the
norm in TIM is detected by matching the two sides of the rule, while in our model
deviation is conducted by the summation weights of the matched patterns.
The most efforts that contribute to the current proposal are proposed by Kim
and Wenke lee in [15] and in [16] respectively. While Kim proposed a new in-
trusion detection classification using data mining based on CTAR which consid-
ers temporal attribute of audit data. Wenke applied data mining with frequent
episode algorithm, and structure statistic features. Wenke built his detection
model based on RIPPER classifier. In the following, we summarize some draw-
backs that have been noticed in these two approaches: First, although some
