Abstract
This chapter examines the state of modern intrusion detection, with a particular emphasis on the emerging approach of data mining. The discussion parallels two important aspects of intrusion detection: general detection strategy (misuse detection versus anomaly detection) and data source (individual hosts versus network traffic). Misuse detection attempts to match known patterns of intrusion, while anomaly detection searches for deviations from normal behavior. Between the two approaches, only anomaly detection has the ability to detect unknown attacks. A particularly promising approach to anomaly detection combines association raining with other forms of machine learning such as classification. Moreover, the data source that an intrusion detection system employs significantly impacts the types of attacks it can detect. There is a tradeoff in the level of detailed information available versus data volume. We introduce a novel way of characterizing intrusion detection activities: degree of attack guilt. It is useful for qualifying the degree of confidence associated with detection events, providing a framework in which we analyze detection quality versus cost.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Abraham, T. (2001). IDDM: Intrusion Detection using Data Mining Techniques. Technical Report DSTO-GD-0286, DSTO Electronics and Surveillance Research Laboratory.
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. (2000). State of the practice of intrusion detection technologies. Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, CMU, Pittsburgh, PA.
Anderson, D., Lunt, T. F., Javitz, H., Tamaru, A., and Valdes, A. (1995a). Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES). Technical Report SRI-CSL-95–06, SRI International, Menlo Park, CA.
Anderson, D., Lunt, T. F., Javitz, H., Tamaru, A., and Valdes, A. (1995b). Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES). Technical Report SRI-CSL-95–06, Computer Science Laboratory, SRI International, Menlo Park, CA.
Axelsson, S. (1999). Research in intrusion-detection systems: A survey. Technical Report TR: 98–17, Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden.
Axelsson, S. (2000a). The base-rate fallacy and the difficulty of intrusion detection.ACM Transactions on Information and System Security3(1):186–205.
Axelsson, S. (2000b). Intrusion detection systems: A survey and taxonomy. Technical report, Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden.
Barbara, D., Jajodia, S., Wu, N., and Speegle, B. (1999). Mining unexpected rules in network audit trails. Technical report, George Mason University.
Barbara, D., Wu, N., and Jajodia, S. (2001). Detecting novel network intrusions using bayes estimators. InFirst SIAM Conference on Data MiningChicago, IL. Society for Industrial and Applied Mathematics.
Bauer, D. S. and Koblentz, M. E. (1988). NIDX-An Expert System for Real-time. InComputer Networking Symposium.
Cabrera, J. B. D., Ravichandran, B., and Mehra, R. K. (2000). Statistical traffic modeling for network intrusion detection. In8th International Symposium on Modeling Analysis and Simulation of Computer and Telecommunication Systems San Francisco, CA.
CERT Advisory (2001). Multiple vulnerabilities in bind, computer emergency response. Technical Report CA-2001–02, Computer Emergency Response Center, Carnegie Mellon University. Available ashttp://www.cert.org /advisories/CA-2001-02.html
Clifton, C. and Gengo, G. (2000). Developing custom intrusion detection filters using data mining. In21st Century Military Communications Conferencevolume 1, pages 440–443. IEEE Computer Society.
Crosbie, M., Dole, B., Ellis, T., Krsul, I., and Spafford, E. (1996).IDIOT Users Guide.Purdue University, West Lafayette, IN. TR-96–050.
CTC-Corporation (2000). Best of breed appendices. Tech Report 0017UU-TE-000712.
Denning, D. E. (1987). An intrusion-detection model.IEEE Transactions on Software Engineering13:222–232.
Dowell, C. and Ramstedt, P. (1990). The computerwatch data reduction tool. In 13th National Computer Security Conference, Washington, DC.
Engelhardt, D. (1997). Directions for intrusion detection and response: A survey. Technical Report DSTO-GD-0155, DSTO Electronics and Surveillance Research Laboratory.
Esmaili, M., Balachandran, B., Safavi-Naini, R., and Pieprzyk, J. (1996). Case-based reasoning for intrusion detection. In12th Annual Computer Security Applications ConferenceSan Diego, CA.
Esmaili, M., Safavi-Naini, R., and Balachandran, B. M. (1997). Auto-guard: A continuous case-based intrusion detection system. InTwen-tieth Australasian Computer Science Conference.
Forrest, S., Hofmeyr, S., Somayaji, A., and Longstaff, T. (1996). A sense of self for unix processes. InIEEE Symposium on Security and Privacypages 120–128, Oakland, CA. IEEE Computer Society.
Ghosh, A. K. and Schwartzbard, A. (1999). A study in using neural networks for anomaly and misuse detection. InUsenix Security SymposiumWashington, DC.
Heberlein, L. T., Mukherjee, B., and Levitt, K. N. (1992). Internet security monitor: An intrusion detection system for large-scale networks. In15th National Computer Security ConferenceBaltimore, MD.
Helmer, G., Wong, J., Honavar, V., and Miller, L. (1999). Automated discovery of concise predictive rules for intrusion detection. Technical Report TR 99–01, Department of Computer Science, Iowa State University, Ames, IA.
Hochberg, J., Jackson, K., Stallings, C., McClary, J., DuBois, D., and Ford, J. (1993). NADIR: An Automated System for Detecting Network Intrusions and Misuse.Computers and Security12(3):248–253.
Ilgun, K. (1992).USTAT A Real-time Intrusion Detection System for UNIX.Master of science, University of California Santa Barbara.
Jackson, K. A. (1999). Intrusion Detection System (IDS) Product Survey. Technical Report LA-UR-99–3883, Los Alamos National Laboratory, Los Alamos, NM.
Javitz, H. S. and Valdes, A. (1991). The SRI IDES Statistical Anomaly Detector. InIEEE Symposium on Research in Security and PrivacyOakland, CA.
Jensen, K. (1997). A Brief Introduction to Coloured Petri Nets. Technical report, presented at Tools and Algorithms for the Construction and Analysis of Systems (TACAS) Workshop, Enschede, The Netherlands.
Kemmerer, R. A. (1997). NSTAT: A Model-based Real-time Network Intrusion Detection System. Technical Report TR 1997–18, University of California Santa Barbara Department of Computer Science.
Kohavi, R., Beckeer, B., and Sommerfield, D. (1997). Improving simple bayes. InEuropean Conference on Machine LearningPrague, Czech Republic.
Kvarnstrom, H. (1999). A survey of commercial tools for intrusion detection. Technical Report TR 99–8, Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden.
Lane, T. D. (2000).Machine Learning Techniques for the Computer Security Domain of Anomaly Detection.Doctor of philosophy, Purdue University.
LaPadula, L. J. (1999). State of the art in anomaly detection and reaction. Technical Report MP 99B0000020, The MITRE Corporation, Bedford, MA.
LaPadula, L. J. (2000). Compendium of anomaly detection and reaction tools and projects. Technical Report MP 99B0000018R1, The MITRE Corporation, Bedford, MA.
Lee, W. (1999). A data mining framework for constructing features and models for intrusion detection systems. Technical report, Graduate School of Arts and Sciences, Columbia University.
Lee, W., Stolfo, S., and Mok, K. (2000). Adaptive intrusion detection: a data mining approach.Artificial Intelligence Review14:533–567.
Lee, W. and Stolfo, S. J. (1998). Data mining approaches for intrusion detection. InProceedings of the 7th USENIX Security SymposiumSan Antonio, TX.
Lee, W., Stolfo, S. J., and Mok, K. W. (1999). A data mining framework for building intrusion detection models. InIEEE Symposium on Security and Privacy.
Lee, W. and Xiang, D. (2001). Information-theoretic measures for anomaly detection. InIEEE Symposium on Security and Privacypages 130143, Oakland, CA. IEEE Computer Society.
Liepins, G. and Vaccaro, H. (1989). Anomaly detection purpose and framework. In12th National Computer Security Conferencepages 495–504, Baltimore, MD. NIST and NSA.
Liepins, G. E. and Vaccaro, H. S. (1992). Intrusion detection: It’s role and validation.Computers and Securitypages 347–355.
Lin, J.-L., Wang, X. S., and Jajodia, S. (1998). Abstraction-based misuse detection: High-level specifications and adaptable strategies. In11th IEEE Computer Security Foundations Workshop.
Lindqvist, U. and Porras, P. A. (1999). Detecting Computer and Network Misuse Through the Production-based Expert System Toolset (P-BEST). InIEEE Symposium on Security and Privacy.
Lippmann, R. P., Fried, D. J., Graf, I., J. W. Haines, K. R. K., D., McClung, D. Weber, S. E. W., Wyschogrod, D., Cunningham, R. K.,, M., and Zissman, A. (2000). Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. InDARPA Information Survivability Conference and Exposition.
Lundin, E. and Jonsson, E. (1999). Some practical and fundamental problems with anomaly detection. InProceedings of the Nordic Workshop on Secure Computer Systems.
Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Jalali, C., Neumann, P. G., Javitz, H. S., Valdes, A., and Garvey, T. D. (1992). A Real Time Intrusion Detection Expert System (IDES). Technical report, SRI.
Lunt, T. F. (1989). Real-time intrusion detection. Inpresented at COMPCON: Thirty-Fourth IEEE Computer Society International Conference: Intellectual Leverage.
Manganaris, S., Christensen, M., Zerkle, D., and Hermiz, K. (2000). A Data Mining Analysis of RTID Alarms.Computer Networks34(No. 4):571–577.
Net-Ranger (1999).NetRanger.Available athttp://www.nursingworld.org/ojin/topic30/tpc30_1.htm.
Neumann, P. G. and Porras, P. A. (1999). Experience with EMERALD to Date. InFirst Useniz Workshop on Intrusion Detection and Network MonitoringSanta Clara, CA.
Ning, P. (2001).Abstraction-based Intrusion Detection in Distributed Environments.Doctor of philosophy, George Mason University.
Porras, P. (1992).STAT: A State Transition Analysis for Intrusion De- tection.Master of science, University of California Santa Barbara.
Porras, P. A. and Kemmerer, R. A. (1992). Penetration state transition analysis: A rule-based intrusion detection approach. InEighth Annual Computer Security Applications Conference.
Porras, P. A. and Neumann, P. G. (1997). EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. InProceedings of the 20th National Information Systems Security ConferenceBalti-more, MD.
Real-Secure (1999).RealSecure.Internet Security Systems. Available atwww.iss.net/customer_care/resource_center.
Schultz, M. G., Eskin, E., Zadok, E., and Stolfo, S. J. (2001). Data mining methods for detection of new malicious executables. InIEEE Symposium on Security and PrivacyOakland, CA. IEEE Computer Society.
Smaha, S. E. (1988). Haystack: An Intrusion Detection System. InFourth Aerospace Computer Security Applications Conference.
Snapp, S., Brentano, J., Dias, G., Goan, T., Granee, T., Heberlein, L., Ho, C.-L., Levitt, K. N., Mukherjee, B., Mansur, D. L., Pon, K. L., and Smaha, S. E. (1991). A system for distributed intrusion detection. InCompcon Springpages 170–176. IEEE Computer Society.
Somayaji, A., Hofmeyr, S., and Forrest, S. (1997). Principles of a computer immune system. InNew Security Paradigms WorkshopLangdale, Cumbria UK.
Spafford, E. H. and Zamboni, D. (2000). Intrusion detection using autonomous agents.Computer Networks34(4):547–570.
Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., and Zerkle, D. (1996). GrIDS-A Graph Based Intrusion Detection System for Large Networks. In19th National Information Systems Security Conferencepages 361–370, Baltimore, MD. NIST and NSA.
Vaccaro, H. and Liepins, G. (1989). Detection of anomalous computer session activity. InIEEE Symposium on Security and Privacy.IEEE Computer Society.
Valdes, A. and Skinner, K. (2000). Adaptive, model-based monitoring for cyber attack detection. InRecent Advances in Intrusion Detectionpages 80–93, Toulouse, France. Springer-Verlag.
Vigna, G. and Kemmerer, R. A. (1998). NetSTAT: A Network-based Intrusion Detection Approach. InProceedings of the International Conference on Knowledge and Data MiningNew York, NY.
W. Lee, S. J. S. and Mok, K. W. (1998). Mining audit data to build intrusion detection models. InProceedings of the International Conference on Knowledge and Data MiningNew York, NY.
Wagner, D. and Dean, R. (2001). Intrusion detection via static analysis. InIEEE Symposium on Security and Privacy.IEEE Computer Society.
Wespi, A., Dacier, M., and Debara, H. (2000). Intrusion detection using variable-length audit trail patterns. InRecent Advances in Intrusion Detectionpages 110–129, Toulouse, FR. Springer-Verlag.
Winkler, J. R. (1990). A unix prototype for intrusion and anomaly detection in secure networks. In 13th National Computer Security Conference, Washington, DC.
Winkler, J. R. and Landry, L. C. (1992). Intrusion and anomaly detection, isoa update. In 15th National Computer Security Conference, Baltimore, MD.
Wu, N. (2001a).Audit Data Analysis and Mining.PhD thesis, George Mason University, Department of Information and Software Engineering. Fairfax, VA.
Wu, N. (2001b). Research statement.
Wu, S. F., Chang, H., Jou, F., Wang, F., Gong, F., Sargor, C., Qu, D., and Cleaveland, R. (1999). JiNao: Design and Implementation of a Scalable Intrusion Detection System for the OSPF Routing Protocol.
Yang, J., Ning, P., Wang, X. S., and Jajodia, S. (2000). CARDS: A Distributed System for Detecting Coordinated Attacks. In IFIP TC11 16th Annual Working Conference on Information Security, pages 171180. Kluwer.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer Science+Business Media New York
About this chapter
Cite this chapter
Noel, S., Wijesekera, D., Youman, C. (2002). Modern Intrusion Detection, Data Mining, and Degrees of Attack Guilt. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_1
Download citation
DOI: https://doi.org/10.1007/978-1-4615-0953-0_1
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4613-5321-8
Online ISBN: 978-1-4615-0953-0
eBook Packages: Springer Book Archive