Automated Intrusion Detection Methods Using NFR

Wenke Lee; Christopher T. Park; Salvatore Stolfo

Automated Intrusion Detection Methods Using NFR
Lee, Wenke
Park, Christopher T.
Stolfo, Salvatore
Computer Science
Persistent URL:
Proceedings of the Workshop on Intrusion Detection and Network Monitoring (ID '99): April 9-12, 1999, Santa Clara, California (Berkeley, Calif.: USENIX Association, 1999).
There is often the need to update an installed Intrusion Detection System (IDS) due to new attack methods or upgraded computing environments. Since many current IDSs are constructed by manual encoding of expert security knowledge, changes to IDSs are expensive and require a large amount of programming and debugging. We describe a data mining framework for adaptively building Intrusion Detection (ID) models specifically for use with Network Flight Recorder (NFR). The central idea is to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules can be used for misuse detection and anomaly detection. Detection models are then incorporated into NFR through a machine translator, which produces a working detection model in the form of N-Code, NFR's powerful filtering language.
Computer science
Item views
text | xml
Suggested Citation:
Wenke Lee, Christopher T. Park, Salvatore Stolfo, 1999, Automated Intrusion Detection Methods Using NFR, Columbia University Academic Commons, http://hdl.handle.net/10022/AC:P:8731.

Center for Digital Research and Scholarship at Columbia University Libraries | Terms of Use | Copyright