Data mining aided signature discovery in network-based intrusion detection system

Quantified Score

Visualization

Abstract

In Network-based Intrusion Detection, signatures discovery is an important issue, since the performance of an intrusion detection system heavily depends on accuracy and abundance of signatures. In most cases, we have to find these signatures manually. This is a time-consuming and error-prone work. Some papers introduce data mining into Intrusion Detection System. However, there are some drawbacks in these schemes. We present a data mining based approach to supporting signature discovery in network-based Intrusion Detection System. It has people find signatures of an intrusion easily. The main idea is that: First, Signature Discovery System (SDS) tries to find the most possible signatures that occur very frequently in the communication monitored. Second, SDS will find the relationships between these candidate signatures and construct rules based on these relationships found. Finally, SDS gives two kinds of hints: one is the signatures whose frequency of occurrence is greater than a threshold; the other is a set of rules composed of a set of signatures that are created by SDS in the second step. An experimental system called SigSniffer has been implemented to test the feasibility of the proposed approach.