Mining Audit Data to Build Intrusion Detection Models
In this paper we discuss a data mining framework for constructing intrusion detection models. The key ideas are to mine system audit data for consistent and useful patterns of program and user behavior, and use the set of relevant system features presented in the patterns to compute (inductively learned) classifiers that can recognize anomalies and known intrusions. Our past experiments showed that classifiers can be used to detect intrusions, provided that sufficient audit data is available for training and the right set of system features are selected. We propose to use the association rules and frequent episodes computed from audit data as the basis for guiding the audit data gathering and feature selection processes. We modify these two basic algorithms to use axis attribute(s) as a form of item constraints to compute only the relevant ("useful") patterns, and an iterative level-wise approximate mining procedure to uncover the low frequency (but important) patterns. We report our experiments in using these algorithms on real-world audit data.
- wenke-kdd98.pdf application/pdf 139 KB Download File
More About This Work
- Academic Units
- Computer Science
- Published Here
- May 4, 2010
Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining (Menlo Park, Calif.: AAAI Press, 1998).