AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
Our experiments showed that the frequent patterns mined from audit data can be used as reliable user anomaly detection models, and as guidelines for selecting temporal statistical features to build e ective classi cation models

A framework for constructing features and models for intrusion detection systems

ACM Trans. Inf. Syst. Secur., no. 4 (2000): 227-261

引用1231|浏览51
EI
下载 PDF 全文
引用
微博一下

摘要

Intrusion detection (ID) is an important component of infrastructure protection mechanisms. Intrusion detection systems (IDSs) need to be accurate, adaptive, and extensible. Given these requirements and the complexities of today's network environments, we need a more systematic and automated IDS development process rather that the pure kn...更多

代码

数据

0
简介
  • As network-based computer systems play increasingly vital roles in modern society, they have become the target of intrusions by the enemies and criminals.
  • For example, IDIOT Kumar and Spa ord 1995] and STAT Ilgun et al 1995], use patterns of well-known attacks or weak spots of the system to match and identify known intrusions.
  • Misuse detection techniques in general are not effective against novel attacks that have no matched rules or patterns yet.
  • The normal pro le of a user may contain the averaged frequencies of some system commands used in his or her login sessions.
  • Some IDSs, e.g., IDES and NIDES Anderson et al 1995], use both anomaly and misuse detection techniques
重点内容
  • As network-based computer systems play increasingly vital roles in modern society, they have become the target of intrusions by our enemies and criminals
  • We have developed a set of tools that can be applied to a variety of audit data sources to generate intrusion detection models
  • We report the performance of our detection models as evaluated by MIT Lincoln Lab
  • Our research focuses on developing methods for constructing intrusion detection models
  • Our experiments showed that the frequent patterns mined from audit data can be used as reliable user anomaly detection models, and as guidelines for selecting temporal statistical features to build e ective classi cation models
  • Results from the 1998 DARPA Intrusion Detection Evaluation Program showed that our detection models performed as well as the best systems built using the manual knowledge engineering approaches
方法
  • The authors describe the experiments in building intrusion detection models on the audit data from the 1998 DARPA Intrusion Detection Evaluation Program.
  • The authors describe the experiments in building host-based intrusion detection models using BSM data.
  • The purpose of these experiments was to show that the algorithms for pattern mining and feature construction are not speci c to a particular audit data source, e.g. tcpdump.
  • Each audit record in an audit le describes a single audit event, which can be a kernel event, i.e., a system call, or a user-level event, i.e., a system program invocation
结果
  • The authors report the performance of the detection models as evaluated by MIT Lincoln Lab. The authors trained the intrusion detection models, i.e., the base models and the meta-level classi er, using the 7 weeks of labeled data, and used them to make predictions on the 2 weeks of unlabeled test data (i.e., the authors were not told which connection is an attack).
  • Figure 2 shows the ROC curves of the detection models by attack categories as well as on all intrusions
  • In each of these ROC plots, the x-axis is the false alarm rate, calculated as the percentage of normal connections classi ed as an intrusion; the y-axis is the detection rate, calculated as the percentage of intrusions detected.
  • The authors compare here the models with other participants in the DARPA evaluation program1
  • These participating groups used knowledge engineering approaches to build their intrusion detection models.
  • An overall detection rate of below 70% is hardly satisfactory in a mission critical environment
结论
  • PROBING attacks have relatively limited variance because they all involve making connections to a large number of hosts or ports in a given time frame.
  • The key idea is to rst apply data mining programs to audit data to compute frequent patterns, extract features, and use classi cation algorithms to compute detection models.
  • The authors' experiments showed that the frequent patterns mined from audit data can be used as reliable user anomaly detection models, and as guidelines for selecting temporal statistical features to build e ective classi cation models.
  • Results from the 1998 DARPA Intrusion Detection Evaluation Program showed that the detection models performed as well as the best systems built using the manual knowledge engineering approaches
表格
  • Table1: Table 1
  • Table2: Example RIPPER Rules from Telnet Records Shown in Table 1
  • Table3: Table 3
  • Table4: Example Association Rules from Shell Command Data Shown in Table 3
  • Table5: Table 5
  • Table6: Example Intrusion Pattern
  • Table7: Table 7
  • Table8: Table 8
  • Table9: Table 9
  • Table10: Example \Tra c" Connection Records label service ag count srv count rerror % di srv %
  • Table11: Example RIPPER Rules for DoS and PROBING Attacks
  • Table12: Example TCP Connection Records label service ag hot failed logins compromised root shell su
  • Table13: Example RIPPER Rules for R2L and U2R Attacks
  • Table14: Model Complexities
  • Table15: Comparing Detection Rates (in %) on Old and New Attacks Category Old New DoS 79.9 24.3 PROBING 97.0 96.7 U2R 75.0 81.8 R2L 60.0 5.9 Overall 80.2 37.7
  • Table16: User Descriptions Normal Activities Logs in as root, cats the password le, and runs commands such as top. Writes public domain C code, uses a vi editor, compiles the C code, reads and sends mails, and executes unix commands. A similar user pro le, but works in afternoons and evenings. Edits latex les, runs latex, reads mails, and sends mails. Reads and sends mails Reads mails
  • Table17: User Anomaly Description. Normal
  • Table18: Similarity Against User's Own Pro le: in Normal Use and in the Anomaly described in Table 17
  • Table19: Similarity Against Group Pro les: in Normal Use and in the Anomaly described in
  • Table20: Example BSM Event Records time auid sid event pid obname
  • Table21: Table 21
  • Table22: Table 22
  • Table23: Example BSM Session Records label service suid sh suid p user p le creations
  • Table24: Example RIPPER Rules for BSM Session Records Shown in Table 23
Download tables as Excel
相关工作
  • Network intrusion detection has been an on-going research area Mukherjee et al 1994]. More recent systems, e.g. Bro Paxson 1998], NFR Network Flight Recorder Inc. 1997], and EMERALD Porras and Neumann 1997] all made extensibility their primary design goals. Both Bro and NFR provide high-level scripting languages for codifying the site-speci c intrusion detection rules, which are executed in run-time as event handlers by the packet ltering and re-assembly engines. Our research focuses on developing methods for constructing intrusion detection models. Our motivation is to use robust IDSs such as Bro and NFR as the building blocks, and provide a framework so that site-speci c models can be computed and installed automatically.

    EMERALD provides an architecture to facilitate enterprise-wide deployment and con guration of intrusion detectors. The meta-learning mechanism in our framework is designed to automate the process of learning a \resolver", which is needed to combine the alarms from the distributed detectors to make a determination of the state of the (entire) network. The meta-learning results reported in this paper are preliminary. We will study how to incorporate network con guration information into the meta-learning process.
基金
  • This research is supported in part by grants from DARPA (F30602-96-1-0311)
引用论文
  • Agrawal, R., Imielinski, T., and Swami, A. 1993. Mining association rules between sets of items in large databases. In Proceedings of the ACM SIGMOD Conference on Management of Data (1993), pp. 207{216.
    Google ScholarLocate open access versionFindings
  • Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 2000. State of the practice of intrusion detection technologies. Technical Report CMU/SEI-99TR-028, CMU/SEI.
    Google ScholarFindings
  • Anderson, D., Frivold, T., and Valdes, A. 1995. Next-generation intrusion detection expert system (NIDES): A summary. Technical Report SRI-CSL-95-07 (May), Computer Science Laboratory, SRI International, Menlo Park, California.
    Google ScholarFindings
  • Chan, P. K. and Stolfo, S. J. 1993. Toward parallel and distributed learning by metalearning. In AAAI Workshop in Knowledge Discovery in Databases (1993), pp. 227{240.
    Google ScholarLocate open access versionFindings
  • Cohen, W. W. 199Fast e ective rule induction. In Machine Learning: the 12th International Conference (Lake Taho, CA, 1995). Morgan Kaufmann.
    Google ScholarLocate open access versionFindings
  • Fayyad, U., Piatetsky-Shapiro, G., and Smyth, P. 199The KDD process of extracting useful knowledge from volumes of data. Communications of the ACM 39, 11 (November), 27{34.
    Google ScholarLocate open access versionFindings
  • Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for Unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (Los Alamitos, CA, 1996), pp. 120{128. IEEE Computer Society Press.
    Google ScholarLocate open access versionFindings
  • Ghosh, A. K. and Schwartzbard, A. 1999. A study in using neural networks for anomaly and misuse detection. In Proceedings of the 8th USENIX Security Symposium (August 1999).
    Google ScholarLocate open access versionFindings
  • Ilgun, K. 1992. USTAT: A real-time intrusion detection system for Unix. Master's thesis, University of California at Santa Barbara.
    Google ScholarFindings
  • Ilgun, K., Kemmerer, R. A., and Porras, P. A. 1995. State transition analysis: A rulebased intrusion detection approach. IEEE Transactions on Software Engineering 21, 3 (March), 181{199.
    Google ScholarLocate open access versionFindings
  • Jacobson, V., Leres, C., and McCanne, S. 1989. tcpdump. available via anonymous ftp to ftp.ee.lbl.gov.
    Google ScholarFindings
  • Ko, C., Fink, G., and Levitt, K. 1994. Automated detection of vulnerabilities in privileged programs by execution monitoring. In Proceedings of the 10th Annual Computer Security Applications Conference (December 1994), pp. 134{144.
    Google ScholarLocate open access versionFindings
  • Kumar, S. and Spafford, E. H. 1995. A software architecture to support misuse intrusion detection. In Proceedings of the 18th National Information Security Conference (1995), pp. 194{204.
    Google ScholarLocate open access versionFindings
  • Lane, T. and Brodley, C. E. 1999. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security 2, 3 (August), 295{331.
    Google ScholarLocate open access versionFindings
  • Lee, W. 1999. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. Ph. D. thesis, Columbia University.
    Google ScholarFindings
  • Lee, W. and Stolfo, S. J. 1998. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium (San Antonio, TX, January 1998).
    Google ScholarLocate open access versionFindings
  • Lee, W., Stolfo, S. J., and Mok, K. W. 1999a. A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (May 1999).
    Google ScholarLocate open access versionFindings
  • Lee, W., Stolfo, S. J., and Mok, K. W. 1999b. Mining in a data- ow environment: Experience in network intrusion detection. In Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99) (August 1999).
    Google ScholarLocate open access versionFindings
  • Lunt, T. 1993. Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology (1993).
    Google ScholarLocate open access versionFindings
  • Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A., and Garvey, T. 1992. A real-time intrusion detection expert system (IDES) - nal technical report. Technical report (February), Computer Science Laboratory, SRI International, Menlo Park, California.
    Google ScholarFindings
  • Mannila, H. and Toivonen, H. 1996. Discovering generalized episodes using minimal occurrences. In Proceedings of the 2nd International Conference on Knowledge Discovery in Databases and Data Mining (Portland, Oregon, August 1996).
    Google ScholarLocate open access versionFindings
  • Mannila, H., Toivonen, H., and Verkamo, A. I. 1995. Discovering frequent episodes in sequences. In Proceedings of the 1st International Conference on Knowledge Discovery in Databases and Data Mining (Montreal, Canada, August 1995).
    Google ScholarLocate open access versionFindings
  • Mitchell, T. 1997. Machine Learning. McGraw-Hill. Mukherjee, B., Heberlein, L. T., and Levitt, K. N. 1994. Network intrusion detection. IEEE Network. Network Flight Recorder Inc. 1997. Network ight recorder. http://www.nfr.com. Paxson, V.1998. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium (San Antonio, TX, 1998).
    Locate open access versionFindings
  • Porras, P. A. and Neumann, P. G. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference (Baltimore MD, October 1997).
    Google ScholarLocate open access versionFindings
  • 1997. JAM: Java agents for meta-learning over distributed databases. In Proceedings of the 3rd International Conference on Knowledge Discovery and Data Mining (Newport Beach, CA, August 1997), pp. 74{81. AAAI Press. SunSoft. 1995. SunSHIELD Basic Security Module Guide. Mountain View, CA: SunSoft. Warrender, C., Forrest, S., and Pearlmutter, B. 1999. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy (May 1999).
    Google ScholarLocate open access versionFindings
0
您的评分 :

暂无评分

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn