Mining fuzzy association rules in databases
ACM SIGMOD Record
Adaptive Intrusion Detection: A Data Mining Approach
Artificial Intelligence Review - Issues on the application of data mining
Discovery of Frequent Episodes in Event Sequences
Data Mining and Knowledge Discovery
Frequent Episode Rules for Internet Anomaly Detection
NCA '04 Proceedings of the Network Computing and Applications, Third IEEE International Symposium
Monitoring hacker activity with a Honeynet
International Journal of Network Management
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
An Active Splitter Architecture for Intrusion Detection and Prevention
IEEE Transactions on Dependable and Secure Computing
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
IEEE Transactions on Dependable and Secure Computing
Analysis of distributed intrusion detection systems using Bayesian methods
PCC '02 Proceedings of the Performance, Computing, and Communications Conference, 2002. on 21st IEEE International
A parallel genetic local search algorithm for intrusion detection in computer networks
Engineering Applications of Artificial Intelligence
An Automatically Tuning Intrusion Detection System
IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
Mining association rules from time series to explain failures in a hot-dip galvanizing steel line
Computers and Industrial Engineering
Hi-index | 0.00 |
This paper proposes a framework that applies frequent episode rules, implemented by finite state machines (FSMs), to design a real-time network-based intrusion prevention system (NIPS) for Probe/Exploit (hacking) intrusion. This type of Probe/Exploit (hacking) intrusion is executed by a series of relevant actions that occur in some sequence. In frequent episode rules mining, data are viewed as a sequence of events, where each event has an associated time of occurrence; thus, such mining technique has significant effect on discovering sophisticated Probe/Exploit intrusion attacks. Prior to a devastating attack on a victim's computer, the hacker must gather information about the victim, and transfer instructions or files to the victim's computer. The proposed system could detect such abnormal episodes and repel hackers from the firewall before they are able to launch a deadly attack. In one network service (a corresponding port number), mine frequent episode rules from the log files of a commercial honeypot system, then refine the rules, which eventually constructs a finite state machine to protect the network service, according to the refined rules. During implementation and simulation, this study applied the framework focus on protecting a Server Message Block (SMB) protocol, which is the most important protocol in Microsoft's Windows Network. As confirmed in the experiments, this study successfully mined sophisticated intrusion episodes and demonstrated the efficiency of tracing connections by a FSM. The framework of intrusion prevention proposed in this paper can be modified straightforward to protect other network services.