skip to main content
research-article

An adaptive automatically tuning intrusion detection system

Published:13 August 2008Publication History
Skip Abstract Section

Abstract

An intrusion detection system (IDS) is a security layer to detect ongoing intrusive activities in computer systems and networks. Current IDS have two main problems: The first problem is that typically so many alarms are generated as to overwhelm the system operator, many of these being false alarms. The second problem is that continuous tuning of the intrusion detection model is required in order to maintain sufficient performance due to the dynamically changing nature of the monitored system. This manual tuning process relies on the system operators to work out the updated tuning solution and to integrate it into the detection model.

In this article, we present an automatically tuning intrusion detection system, which controls the number of alarms output to the system operator and tunes the detection model on the fly according to feedback provided by the system operator when false predictions are identified. This system adapts its behavior (i) by throttling the volume of alarms output to the operator in response to the ability of the operator to respond to these alarms, and (ii) by deciding how aggressively the detection model should be tuned based on the accuracy of earlier predictions. We evaluated our system using the KDDCup'99 intrusion detection dataset. Our results show that an adaptive, automatically tuning intrustion detection system will be both practical and efficient.

References

  1. Agarwal, R. and Joshi, M. 2001. PNrule: A new framework for learning classifier models in data mining (a case-study in network intrusion detection). In Proceedings of 1st SIAM Conference on Data Mining.Google ScholarGoogle Scholar
  2. Barbara, D., Couto, J., Jajodia, S., Popyack, L., and Wu, N. 2001. ADAM: Detecting intrusions by data mining. In Proceedings of the 2nd Annual IEEE Workshop on Information Assurance and Security. West Point.Google ScholarGoogle Scholar
  3. Brugger, S. 2004. Data mining methods for network intrusion detection. Tech. rep., University of California, Davis.Google ScholarGoogle Scholar
  4. Cohen, W. and Singer, Y. 1999. A simple, fast, and effective rule learner. In Proceedings of the 16th National Conference on Artificial Intelligence. Orlando, 335--442. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Dubrawsky, I. and Saville, R. 2003. SAFE: IDS deployment, tuning, and logging in depth. CISCO SAFE white paper. http://www.cisco.com/go/safe.Google ScholarGoogle Scholar
  6. Elkan, C. 2000. Results of the KDD'99 classifier learning. ACM SIGKDD Explorations Newsletter 1, 2, 63--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivastava, J., Kumar, V., and Dokas, P. 2004. The MINDS - Minnesota Intrusion Detection System. In Data Mining: Next Generation Challenges and Future Directions. MIT Press, Cambridge, MA, 199--218.Google ScholarGoogle Scholar
  8. Eskin, E., Miller, M., Zhong, Z., Yi, G., Lee, W., and Stolfo, S. 2000. Adaptive model generation for intrusion detection systems. In Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security. Athens.Google ScholarGoogle Scholar
  9. Florez, G., Bridges, S., and Vaughn, R. 2002. An improved algorithm for fuzzy data mining for intrusion detection. In Proceedings of the North American Fuzzy Information Processing Society Conference. New Orleans, 457--462.Google ScholarGoogle Scholar
  10. Gomez, J. and Dasgupta, D. 2002. Evolving fuzzy classifiers for intrusion detection. In Proceedings of the 3rd Annual IEEE Workshop on Information Assurance. West Point.Google ScholarGoogle Scholar
  11. Hettich, S. and Bay, S. 1999. The UCI KDD archive. Department of Information and Computer Science, University of California, Irvine. http://kdd.ics.uci.edu.Google ScholarGoogle Scholar
  12. Honig, A., Howard, A., Eskin, E., and Stolfo, S. 2002. Adaptive model generation: An architecture for the deployment of data mining-based intrusion detection systems. In Applications of Data Mining in Computer Security. Kluwer Academic Publishers, 154--191.Google ScholarGoogle Scholar
  13. Hossian, M. and Bridges, S. 2001. A framework for an adaptive intrusion detection system with data mining. In Proceedings of the 13th Annual Canadian Information Technology Security Symposium (CITSS'01). Ottawa.Google ScholarGoogle Scholar
  14. Julish, K. 2002. Data mining for intrusion detection: A critical review. IBM Res. rep. RZ 3398, 93450.Google ScholarGoogle Scholar
  15. Kumar, S. and Spafford, E. 1994. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference. Washington, 11--21.Google ScholarGoogle Scholar
  16. Kumar, V. 2002. Data mining for network intrusion detection: Experience with KDDCup'99 data set. In Presentation in Workshop on Network Intrusion Detection. Aberdeen.Google ScholarGoogle Scholar
  17. Lee, W. and Stolfo, S. 2000. A framework for constructing features and models for intrusion detection systems. ACM Trans. Inform. Syst. Secur. 3, 4, 227--261. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Lee, W., Stolfo, S., and Chan, P. 2001. Real time data mining-based intrusion detection. In Proceedings of the 2nd DARPA Information Survivability Conference and Exposition (DISCEX II). Anaheim, 89--100.Google ScholarGoogle Scholar
  19. Lee, W. and Xiang, D. 2001. Information-theoretic measures for anomaly detection. In Proceedings of the IEEE Symposium on Security and Privacy. Oakland, 130--143. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Levin, I. 1999. KDD'99 classifier learning contest LLSoft's results overview. ACM SIGKDD Explorations Newsletter 1, 2, 67--75. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Li, X. and Ye, N. 2003. Decision tree classifiers for computer intrusion detection. In Real-Time System Security. Nova Publishers, 77--93. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Luo, J. and Bridges, S. 2000. Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection. Inter. J. Intell. Syst. 15, 8, 687--703.Google ScholarGoogle ScholarCross RefCross Ref
  23. Luo, J., Bridges, S., and Vaughn, R. 2001. Fuzzy frequent episodes for real-time intrusion detection. In Proceedings of the 10th IEEE International Conference on Fuzzy Systems. Melbourne, 368--371.Google ScholarGoogle Scholar
  24. Manganaris, S. 1999. A data mining analysis of RTID alarms. In Online Proceedings of the 2nd Workshop on Recent Advances in Intrusion Detection. West Lafayette. http://www.raid-symposium.org/raid99/.Google ScholarGoogle Scholar
  25. Mukaidono, M. 2001. Fuzzy Logic for Beginners. World Scientific Publishing Co., Singapore.Google ScholarGoogle Scholar
  26. Pfahringer, B. 1999. Winning the KDD'99 classification cup: Bagged boosting. ACM SIGKDD Explorations Newsletter 1, 2, 65--66. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Ryan, J., Lin, M., and Miikkulainen, R. 1998. Intrusion detection with neural networks. In Proceedings of the Advances in Neural Information Processing Systems 10 (NIPS'97). 943--949. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Sabhnani, M. and Serpen, G. 2003. Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context. In Proceedings of the International Conference on Machine Learning: Models, Technologies and Applications (MLMTA'03). Las Vegas, 209--215.Google ScholarGoogle Scholar
  29. Valdes, A. and Skinner, K. 2001. Probabilistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01). Davis, 54--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Wang, L. 1996. A Course in Fuzzy Systems and Control. Prentice Hall, Boston. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Ye, N., Emran, S., Chen, Q., and Vilbert, S. 2002. Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Trans. Comput. 51, 7, 810--820. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Yu, Z. and Tsai, J. 2004. A multi-class SLIPPER system for intrusion detection. In Proceedings of the 28th IEEE Annual International Computer Software and Applications Conference (COMPSAC'04). 212--217. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Yu, Z. and Tsai, J. 2006. An efficient intrusion detection system using boosting based learning algorithm. Inter. J. Comput. Appl. Tech. 4, 223--231. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Yu, Z., Tsai, J., and Weigert, T. 2007. Automatically tuning intrusion detection system. IEEE Trans. Syst. Man, Cyber. 37, 2, 373--384. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. An adaptive automatically tuning intrusion detection system

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Autonomous and Adaptive Systems
          ACM Transactions on Autonomous and Adaptive Systems  Volume 3, Issue 3
          August 2008
          125 pages
          ISSN:1556-4665
          EISSN:1556-4703
          DOI:10.1145/1380422
          Issue’s Table of Contents

          Copyright © 2008 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 13 August 2008
          • Accepted: 1 June 2008
          • Revised: 1 May 2008
          • Received: 1 August 2007
          Published in taas Volume 3, Issue 3

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!