Mining Audit Data to Build Intrusion Detection Models

Wenke Lee; Salvatore Stolfo; Kui W. Mok

Mining Audit Data to Build Intrusion Detection Models
Lee, Wenke
Stolfo, Salvatore
Mok, Kui W.
Computer Science
Persistent URL:
Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining (Menlo Park, Calif.: AAAI Press, 1998).
In this paper we discuss a data mining framework for constructing intrusion detection models. The key ideas are to mine system audit data for consistent and useful patterns of program and user behavior, and use the set of relevant system features presented in the patterns to compute (inductively learned) classifiers that can recognize anomalies and known intrusions. Our past experiments showed that classifiers can be used to detect intrusions, provided that sufficient audit data is available for training and the right set of system features are selected. We propose to use the association rules and frequent episodes computed from audit data as the basis for guiding the audit data gathering and feature selection processes. We modify these two basic algorithms to use axis attribute(s) as a form of item constraints to compute only the relevant ("useful") patterns, and an iterative level-wise approximate mining procedure to uncover the low frequency (but important) patterns. We report our experiments in using these algorithms on real-world audit data.
Computer science
Item views
text | xml
Suggested Citation:
Wenke Lee, Salvatore Stolfo, Kui W. Mok, , Mining Audit Data to Build Intrusion Detection Models, Columbia University Academic Commons, .

Columbia University Libraries | Policies | FAQ