Information Technology Reference
In-Depth Information
intrusion behaviors depend on frequent episode or temporal attribute, analysis
based on statistical features may not reflect the different features relationship
in the context of time order. e.g., attacks with features appearing only once in
the records, and attacks based on features that don't have frequent connection
records or features that occur only once in an attack. Second, both detection
methods of Wenke and Kim were designed to detect mainly Probe and DoS
attacks. Current efforts of intrusion detection focus on detecting attacks with
no clear evident features, such as application layer attacks or what are called
in DARPA dataset remote to local and user to root attacks. Third. the most
important, using statistical analysis would lead to lose order actions. Because
attack evident features spread over many records, we need a technique to search
the records vertically, and dig out the records for each single itemset sequences
that may reflect attack features, that is continuous and discontinuous based data
mining.
1.2
Our Contribution
The objective of this paper is to treat the systems ordered actions differently.
Our approach uses the continuous and discontinues patterns to characterize the
system behaviour. We used the proposed technique to extract some attacks sig-
natures, and also to build an anomaly detection classifier. To classify a new se-
quence into either normal or intrusive, our proposed classifier converts the new
sequence into a number of patterns and then calculates the similarity between
these patterns and those of the training sequences. There are some advantages
to applying this method to intrusion detection: First, without affecting the de-
tection rate, limited and reasonable deviations from the norm are allowed, thus,
false positive rate is significantly reduced. Second, foremost advantage is that
this technique aims to discover all important possible patterns within the se-
quence. Third, in case of using this technique for building attack signature, it
can deal with any kind of attack attributes such as time, numerical, categorical,
and free-text.
2
Proposed Algorithm
2.1
Notations and Definitions
This section defines concepts that are central to this article, including the fun-
damental notions and definitions.
Definition 1 (Notions).
- C ( k,l ): used to represent the set of candidate sequences of k elements and l
stars.
- L ( k,l ): The sequences set that have a support value bigger than the given
minimal support where the sequence length is k and it has l stars.
Search WWH ::




Custom Search