Algorithms for mining system audit data

Authors:
Wenke Lee;Salvatore J. Stolfo;Kui W. Mok
Affiliations:
Department of Computer Science, North Carolina State University, Raleigh, NC;Department of Computer Science, Columbia University, New York, NY;Morgan Stanley Dean Witter & Co., 750 7th Avenue, New York, NY
Venue:
Data mining, rough sets and granular computing
Year:
2002

Citing 13
Cited 0

Mining association rules between sets of items in large databases

SIGMOD '93 Proceedings of the 1993 ACM SIGMOD international conference on Management of data
Finding interesting rules from large sets of discovered association rules

CIKM '94 Proceedings of the third international conference on Information and knowledge management
State Transition Analysis: A Rule-Based Intrusion Detection Approach

IEEE Transactions on Software Engineering
Decision Tree Induction Based on Efficient Tree Restructuring

Machine Learning
Mining in a data-flow environment: experience in network intrusion detection

KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Adaptive Intrusion Detection: A Data Mining Approach

Artificial Intelligence Review - Issues on the application of data mining
Security problems in the TCP/IP protocol suite

ACM SIGCOMM Computer Communication Review
Discovery of Frequent Episodes in Event Sequences

Data Mining and Knowledge Discovery
Clustering Association Rules

ICDE '97 Proceedings of the Thirteenth International Conference on Data Engineering
Mining Sequential Patterns

ICDE '95 Proceedings of the Eleventh International Conference on Data Engineering
Fast Algorithms for Mining Association Rules in Large Databases

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Discovery of Multiple-Level Association Rules from Large Databases

VLDB '95 Proceedings of the 21th International Conference on Very Large Data Bases
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe our research in applying data mining techniques to construct intrusion detection models. The key ideas are to mine system audit data for consistent and useful patterns of program and user behavior, and use the set of relevant system features presented in the patterns to compute classifiers that can recognize anomalies and known intrusions. Our past experiments showed that classification rules can be used to detect intrusions, provided that sufficient audit data is available for training and the right set of system features are selected. We use the association rules and frequent episodes computed from audit data as the basis for guiding the audit data gathering and feature selection processes. In order to compute only the relevant patterns, we consider the "order of importance" and "reference" relations among the attributes of data, and modify these two basic algorithms accordingly to use axis attribute(s) and reference attribute(s) as forms of item constraints in the data mining process. We also use an iterative level-wise approximate mining procedure for uncovering the low frequency but important patterns. We report our experiments in using these algorithms on real-world audit data.