Home

A Data Mining Framework for Building Intrusion Detection Models

Wenke Lee; Salvatore Stolfo; Kui W. Mok

Title:
A Data Mining Framework for Building Intrusion Detection Models
Author(s):
Lee, Wenke
Stolfo, Salvatore
Mok, Kui W.
Date:
Type:
Articles
Department:
Computer Science
Permanent URL:
Notes:
Security and Privacy: Proceedings of the 1999 IEEE Symposium on Security and Privacy: May 9-12, 1999, Oakland, California (Los Alamitos, Calif.: IEEE Computer Society Press, 1999), pp. 120-132.
Abstract:
There is often the need to update an installed intrusion detection system (IDS) due to new attack methods or upgraded computing environments. Since many current IDSs are constructed by manual encoding of expert knowledge, changes to IDSs are expensive and slow. We describe a data mining framework for adaptively building Intrusion Detection (ID) models. The central idea is to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules can then be used for misuse detection and anomaly detection. New detection models are incorporated into an existing IDS through a meta-learning (or co-operative learning) process, which produces a meta detection model that combines evidence from multiple models. We discuss the strengths of our data mining programs, namely, classification, meta-learning, association rules, and frequent episodes. We report on the results of applying these programs to the extensively gathered network audit data for the 1998 DARPA Intrusion Detection Evaluation Program.
Subject(s):
Computer science
Publisher DOI:
http://dx.doi.org/10.1109/SECPRI.1999.766909
Item views:
334
Metadata:
text | xml

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use