|
7th USENIX Security Symposium, San Antonio, Texas
Data Mining Approaches for Intrusion Detection
Wenke Lee and Salvatore J. Stolfo
Columbia University
Abstract
In this paper we discuss our research in developing general and
systematic methods for intrusion detection. The key ideas are to use
data mining techniques to discover consistent and useful patterns of
system features that describe program and user behavior, and use the
set of relevant system features to compute (inductively learned)
classifiers that can recognize anomalies and known intrusions. Using
experiments on the sendmail system call data and the network
tcpdump data, we demonstrate that we can construct concise and
accurate classifiers to detect anomalies. We provide an overview on
two general data mining algorithms that we have implemented: the
association rules algorithm and the frequent episodes algorithm. These
algorithms can be used to compute the intra- and inter- audit record
patterns, which are essential in describing program or user
behavior. The discovered patterns can guide the audit data gathering
process and facilitate feature selection. To meet the challenges of
both efficient learning (mining) and real-time detection, we propose
an agent-based architecture for intrusion detection systems where the
learning agents continuously compute and provide the updated
(detection) models to the detection agents.
- View the full text of this paper in
HTML form and
PDF form.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.
|
Need help? Use our Contacts page.
Technical Program