Databases Reference
In-Depth Information
13.3.4
Data Mining for Intrusion Detection and Prevention
The security of our computer systems and data is at continual risk. The extensive growth
of the Internet and the increasing availability of tools and tricks for intruding and
attacking networks have prompted
intrusion detection and prevention
to become a
critical component of networked systems. An intrusion can be defined as any set of
actions that threaten the integrity, confidentiality, or availability of a network resource
(e.g., user accounts, file systems, system kernels, and so on). Intrusion detection sys-
tems and intrusion prevention systems both monitor network traffic and/or system
executions for malicious activities. However, the former produces reports whereas the
latter is placed in-line and is able to actively prevent/block intrusions that are detected.
The main functions of an intrusion prevention system are to identify malicious activ-
ity, log information about said activity, attempt to block/stop activity, and report
activity.
The majority of intrusion detection and prevention systems use either
signature-
based detection
or
anomaly-based detection
.
Signature-based detection
: This method of detection utilizes
signatures
, which
are attack patterns that are preconfigured and predetermined by domain experts.
A signature-based intrusion prevention system monitors the network traffic for
matches to these signatures. Once a match is found, the intrusion detection sys-
tem will report the anomaly and an intrusion prevention system will take additional
appropriate actions. Note that since the systems are usually quite dynamic, the sig-
natures need to be updated laboriously whenever new software versions arrive or
changes in network configuration or other situations occur. Another drawback is
that such a detection mechanism can only identify cases that match the signatures.
That is, it is unable to detect new or previously unknown intrusion tricks.
Anomaly-based detection
: This method builds models of normal network behavior
(called
profiles
) that are then used to detect new patterns that significantly deviate
from the profiles. Such deviations may represent actual intrusions or simply be new
behaviors that need to be added to the profiles. The main advantage of anomaly
detection is that it may detect novel intrusions that have not yet been observed. Typ-
ically, a human analyst must sort through the deviations to ascertain which represent
real intrusions. A limiting factor of anomaly detection is the high percentage of false
positives. New patterns of intrusion can be added to the set of signatures to enhance
signature-based detection.
Data mining methods can help an intrusion detection and prevention system to
enhance its performance in various ways as follows.
New data mining algorithms for intrusion detection
: Data mining algorithms can
be used for both signature-based and anomaly-based detection. In signature-based
detection, training data are labeled as either “normal” or “intrusion.” A classi-
fier can then be derived to detect known intrusions. Research in this area has
