Hybrid intrusion detection with weighted signature generation over anomalous internet episodes

IEEE Transactions on Dependable and Secure Computing

Volumn 4, Issue 1, 2007, Pages 41-55

  Hwang, Kai ^a,b   Cai, Min ^a,b   Chen, Ying ^a,b   Qin, Min ^b  

^a IEEE   (United States)

^b University of Southern California   (United States)

Author keywords

Anomaly detection; False alarms; Internet episodes; Intrusion detection systems; Network security; Signature generation; SNORT and Bro systems; Traffic data mining

Indexed keywords

DATA MINING; DATA TRANSFER; DATABASE SYSTEMS; ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS; INTERNET; TELECOMMUNICATION TRAFFIC;

ANOMALY DETECTION SYSTEM (ADS); DATA SETS; HYBRID INTRUSION DETECTION SYSTEM (HIDS); TRAFFIC DATA MINING;

NETWORK SECURITY;

EID: 33847743856     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2007.9     Document Type: Article

References (34)

1. D. Barbara, J. Couto, S. Jajodia, L. Popyack, and N. Wu, "ADAM: Detecting Intrusions by Data Mining," Proc. IEEE Workshop Information Assurance and Security, 2001.
2. D.J. Burroughs, L.F. Wilson, and G.V. Cybenko, "Analysis of Distributed Intrusion Detection Systems Using Bayesian Methods Performance," Proc. IEEE Int'l Computing and Comm. Conf., pp. 329-334, 2002.
3. M. Cai, K. Hwang, J. Pan, and C. Papadupolous, "WormShield: Fast Worm Signature Generation Using Distributed Fingerprint Aggregation," to be published in IEEE Trans. Dependabk and Secure Computing, 2007.
4. B. Casewell and J. Beale, SNORT 2.1, Intrusion Detection, second ed. Syngress, May 2004.
5. W. Cohen, "Fast Effective Rule Induction," Proc. 12th Int'l Conf. Machine Learning. 1995.
6. F. Cuppens and A. Miege, "Alert Correlation in a Cooperative Intrusion Detection Framework," Proc. 2002 IEEE Symp. Security and Privacy, pp. 187-200, 2002.
7. L. Ertoz, E. Eilertson, A. Lazarevic, P. Tan, J. Srivastava, V. Kumar, and P. Dokas, "The MINDS - Minnesota Intrusion Detection System," Next Generation Data Mining, MIT Press, 2004.
8. E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo, "A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data," Applications of Data Mining in Computer Security, Kluwer Academic Publishers, 2002.
9. M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, "A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise," Proc. Second Int'l Conf. Knowledge Discovery and Data Mining, 1996.
10. W. Fan, M. Miller, S. Stolfo, W. Lee, and P. Chan, "Using Artificial Anomalies to Detect Unknown and Known Network Intrusions," Proc. First IEEE Int'l Conf. Data Mining, Nov. 2001.
11. U.M. Fayyad and K.B. Irani, "Multi-Interval Discretization of Continuous-Valued Attributes from Classification Learning," Proc. Int'l Joint Conf. Artificial Intelligence (IJCAI '93), pp. 1022-1027, 1993.
12. S. Floyd and V. Paxson, "Difficulties in Simulating the Internet," IEEE/ACM Trans. Networking, vol. 9, no. 4, pp. 392-403, Aug. 2001.
13. K. Hwang, Y. Chen, and H. Liu, "Defending Distributed Computing Systems from Malicious Intrusions and Network Anomalies," Proc. IEEE Workshop Security in Systems and Networks (SSN '05) held with the IEEE Int'l Paralkl & Distributed Processing Symp., 2005.
14. K. Hwang, Y. Kwok, S. Song, M. Cai, Y. Chen, and Y. Chen, "DHT-Based Security Infrastructure for Trusted Internet and Grid Computing," Int'l J. Critical Infrastructures, vol. 2, no. 4, pp. 412-433, Dec. 2006.
15. Kaleton Internet, "Combination of Misuse and Anomaly Intrusion Detection Systems," http://www.kaleton.com, Mar. 2002.
16. K.S. Killourhy and R.A. Maxion, "Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits," Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID '02), pp. 54-73, Sept. 2002.
17. A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava, "A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection," Proc. Third SIAM Conf. Data Mining, 2003, http://www.users.cs.umn.edu/kumar/papers.
18. W. Lee, S.J. Stolfo, and K. Mok, "Adaptive Intrusion Detection: A Data Mining Approach," Artificial Intelligence Rev., vol. 14, no. 6, pp. 533-567, Kluwer Academic Publishers, Dec. 2000.
19. W. Lee and S. Stolfo, "A Framework for Constructing Features and Models for Intrusion Detection Systems," ACM Trans. Information and System Security (TISSec), 2000.
20. R.P. Lippmann and J. Haines, "Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation," Proc. Third Int'l Workshop Recent Advances in Intrusion Detection (RAID '00), H. Debar, L. Me, and S.F. Wu, eds., pp. 162-182, 2000.
21. M.V. Mahoney and P.K. Chan, "An Analysis of the 1999 DARPA/ Lincoln Lab Evaluation Data for Network Anomaly Detection," Proc. Int'l Symp. Recent Advances in Intrusion Detection, pp. 220-237, Sept. 2003.
22. H. Mannila and H. Toivonen, "Discovering Generalized Episodes Using Minimal Occurrences," Proc. Second Int'l Conf. Knowledge Discovery and Data Mining, Aug. 1996.
23. J. McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory," ACM Trans. Information and System Security, vol. 3, no. 4, Nov. 2000.
24. P. Ning, S. Jajodia, and X.S. Wang, "Abstraction-Based Intrusion Detection in Distributed Environments," ACM Trans. Information and System Security, vol. 4, no. 4, pp. 407-452, Nov. 2001.
25. S. Noel, D. Wijesekera, and C. Youman, "Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt," Applications of Data Mining in Computer Security, D. Barbara and S. Jajodia, eds., Kluwer Academic Publishers, 2002.
26. V. Paxson, "Bro: A System for Detecting Network Intrusions in Real Time," Proc. Seventh USENIX Security Symp., 1998.
27. P.A. Porras and P.G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proc. 19th Nat'l Computer Security Conf., pp. 353-365, Oct. 1997.
28. M. Qin and K. Hwang, "Frequent Episode Rules for Internet Traffic Analysis and Anomaly Detection," Proc. IEEE Network Computing and Applications (NAC '04), Sept. 2004.
29. D.J. Ragsdale, C.A. Carver, J. Humphries, and U. Pooch, "Adaptation Techniques for Intrusion Detection and Response Systems," Proc. IEEE Int'l Conf. Systems, Man, and Cybernetics, pp. 2344-2349, Oct. 2000.
30. G.D. Ramkumar, S. Ranka, and S. Tsur, "Weighted Association Rules: Model and Algorithm," Proc. Fourth ACM Int'l Conf. Knowkdge Discovery and Data Mining, 1998.
31. M. Roesch, "SNORT - Lightweight Intrusion Detection for Networks," Proc. USENIX 13th Systems Administration Conf. (LISA '99), pp. 229-238, 1999.
32. F. Tao, F. Murtagh, and M. Farid, "Weighted Association Rule Mining Using Weighted Support and Significance Framework," Proc. Ninth ACM Int'l Conf. Knowkdge Discovery and Data Mining (SIGKDD), pp. 661-666, 2003.
33. G.B. White, E.A. Fisch, and U.W. Pooch, "Cooperating Security Managers: A Peer-Based Intrusion Detection System," IEEE Network, pp. 20-23, Jan. 1996.
34. Y. Xie, H. Kim, D.R. O'Hallaron, M.K. Reiter, and H. Zhang, "Seurat: A Pointillist Approach to Anomaly Detection," Proc. Seventh Int'l Symp. Recent Advances in Intrusion Detection (RAID '04), 2004.