Abstract
An intrusion detection system (IDS) is a security layer to detect ongoing intrusive activities in computer systems and networks. Current IDS have two main problems: The first problem is that typically so many alarms are generated as to overwhelm the system operator, many of these being false alarms. The second problem is that continuous tuning of the intrusion detection model is required in order to maintain sufficient performance due to the dynamically changing nature of the monitored system. This manual tuning process relies on the system operators to work out the updated tuning solution and to integrate it into the detection model.
In this article, we present an automatically tuning intrusion detection system, which controls the number of alarms output to the system operator and tunes the detection model on the fly according to feedback provided by the system operator when false predictions are identified. This system adapts its behavior (i) by throttling the volume of alarms output to the operator in response to the ability of the operator to respond to these alarms, and (ii) by deciding how aggressively the detection model should be tuned based on the accuracy of earlier predictions. We evaluated our system using the KDDCup'99 intrusion detection dataset. Our results show that an adaptive, automatically tuning intrustion detection system will be both practical and efficient.
- Agarwal, R. and Joshi, M. 2001. PNrule: A new framework for learning classifier models in data mining (a case-study in network intrusion detection). In Proceedings of 1st SIAM Conference on Data Mining.Google Scholar
- Barbara, D., Couto, J., Jajodia, S., Popyack, L., and Wu, N. 2001. ADAM: Detecting intrusions by data mining. In Proceedings of the 2nd Annual IEEE Workshop on Information Assurance and Security. West Point.Google Scholar
- Brugger, S. 2004. Data mining methods for network intrusion detection. Tech. rep., University of California, Davis.Google Scholar
- Cohen, W. and Singer, Y. 1999. A simple, fast, and effective rule learner. In Proceedings of the 16th National Conference on Artificial Intelligence. Orlando, 335--442. Google Scholar
Digital Library
- Dubrawsky, I. and Saville, R. 2003. SAFE: IDS deployment, tuning, and logging in depth. CISCO SAFE white paper. http://www.cisco.com/go/safe.Google Scholar
- Elkan, C. 2000. Results of the KDD'99 classifier learning. ACM SIGKDD Explorations Newsletter 1, 2, 63--64. Google Scholar
Digital Library
- Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivastava, J., Kumar, V., and Dokas, P. 2004. The MINDS - Minnesota Intrusion Detection System. In Data Mining: Next Generation Challenges and Future Directions. MIT Press, Cambridge, MA, 199--218.Google Scholar
- Eskin, E., Miller, M., Zhong, Z., Yi, G., Lee, W., and Stolfo, S. 2000. Adaptive model generation for intrusion detection systems. In Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security. Athens.Google Scholar
- Florez, G., Bridges, S., and Vaughn, R. 2002. An improved algorithm for fuzzy data mining for intrusion detection. In Proceedings of the North American Fuzzy Information Processing Society Conference. New Orleans, 457--462.Google Scholar
- Gomez, J. and Dasgupta, D. 2002. Evolving fuzzy classifiers for intrusion detection. In Proceedings of the 3rd Annual IEEE Workshop on Information Assurance. West Point.Google Scholar
- Hettich, S. and Bay, S. 1999. The UCI KDD archive. Department of Information and Computer Science, University of California, Irvine. http://kdd.ics.uci.edu.Google Scholar
- Honig, A., Howard, A., Eskin, E., and Stolfo, S. 2002. Adaptive model generation: An architecture for the deployment of data mining-based intrusion detection systems. In Applications of Data Mining in Computer Security. Kluwer Academic Publishers, 154--191.Google Scholar
- Hossian, M. and Bridges, S. 2001. A framework for an adaptive intrusion detection system with data mining. In Proceedings of the 13th Annual Canadian Information Technology Security Symposium (CITSS'01). Ottawa.Google Scholar
- Julish, K. 2002. Data mining for intrusion detection: A critical review. IBM Res. rep. RZ 3398, 93450.Google Scholar
- Kumar, S. and Spafford, E. 1994. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference. Washington, 11--21.Google Scholar
- Kumar, V. 2002. Data mining for network intrusion detection: Experience with KDDCup'99 data set. In Presentation in Workshop on Network Intrusion Detection. Aberdeen.Google Scholar
- Lee, W. and Stolfo, S. 2000. A framework for constructing features and models for intrusion detection systems. ACM Trans. Inform. Syst. Secur. 3, 4, 227--261. Google Scholar
Digital Library
- Lee, W., Stolfo, S., and Chan, P. 2001. Real time data mining-based intrusion detection. In Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (DISCEX II). Anaheim, 89--100.Google Scholar
- Lee, W. and Xiang, D. 2001. Information-theoretic measures for anomaly detection. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, 130--143. Google Scholar
Digital Library
- Levin, I. 1999. KDD'99 classifier learning contest LLSoft's results overview. ACM SIGKDD Explorations Newsletter 1, 2, 67--75. Google Scholar
Digital Library
- Li, X. and Ye, N. 2003. Decision tree classifiers for computer intrusion detection. In Real-Time System Security. Nova Publishers, 77--93. Google Scholar
Digital Library
- Luo, J. and Bridges, S. 2000. Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection. Inter. J. Intell. Syst. 15, 8, 687--703.Google Scholar
Cross Ref
- Luo, J., Bridges, S., and Vaughn, R. 2001. Fuzzy frequent episodes for real-time intrusion detection. In Proceedings of the 10th IEEE International Conference on Fuzzy Systems. Melbourne, 368--371.Google Scholar
- Manganaris, S. 1999. A data mining analysis of RTID alarms. In Online Proceedings of the 2nd Workshop on Recent Advances in Intrusion Detection. West Lafayette. http://www.raid-symposium.org/raid99/.Google Scholar
- Mukaidono, M. 2001. Fuzzy Logic for Beginners. World Scientific Publishing Co., Singapore.Google Scholar
- Pfahringer, B. 1999. Winning the KDD'99 classification cup: Bagged boosting. ACM SIGKDD Explorations Newsletter 1, 2, 65--66. Google Scholar
Digital Library
- Ryan, J., Lin, M., and Miikkulainen, R. 1998. Intrusion detection with neural networks. In Proceedings of the Advances in Neural Information Processing Systems 10 (NIPS'97). 943--949. Google Scholar
Digital Library
- Sabhnani, M. and Serpen, G. 2003. Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context. In Proceedings of the International Conference on Machine Learning: Models, Technologies and Applications (MLMTA'03). Las Vegas, 209--215.Google Scholar
- Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01). Davis, 54--68. Google Scholar
Digital Library
- Wang, L. 1996. A Course in Fuzzy Systems and Control. Prentice Hall, Boston. Google Scholar
Digital Library
- Ye, N., Emran, S., Chen, Q., and Vilbert, S. 2002. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans. Comput. 51, 7, 810--820. Google Scholar
Digital Library
- Yu, Z. and Tsai, J. 2004. A multi-class SLIPPER system for intrusion detection. In Proceedings of the 28th IEEE Annual International Computer Software and Applications Conference (COMPSAC'04). 212--217. Google Scholar
Digital Library
- Yu, Z. and Tsai, J. 2006. An efficient intrusion detection system using boosting based learning algorithm. Inter. J. Comput. Appl. Tech. 4, 223--231. Google Scholar
Digital Library
- Yu, Z., Tsai, J., and Weigert, T. 2007. Automatically tuning intrusion detection system. IEEE Trans. Syst. Man, Cyber. 37, 2, 373--384. Google Scholar
Digital Library
Index Terms
An adaptive automatically tuning intrusion detection system
Recommendations
An Automatically Tuning Intrusion Detection System
An intrusion detection system (IDS) is a security layer used to detect ongoing intrusive activities in information systems. Traditionally, intrusion detection relies on extensive knowledge of security experts, in particular, on their familiarity with ...
Monitoring Network Traffic to Detect Stepping-Stone Intrusion
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - WorkshopsMost network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. ...






Comments