Defending Distributed Systems Against Malicious Intrusions and Network Anomalies
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18
High-throughput linked-pattern matching for intrusion detection systems
Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
IEEE Transactions on Dependable and Secure Computing
Building intrusion pattern miner for Snort network intrusion detection system
Journal of Systems and Software
Efficient mining of frequent episodes from complex sequences
Information Systems
ACM Computing Surveys (CSUR)
Attack Patterns Discovery by Frequent Episodes Mining from Honeypot Systems
ISA '09 Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance
Discovery and prevention of attack episodes by frequent episodes mining and finite state machines
Journal of Network and Computer Applications
Continuously matching episode rules for predicting future events over event streams
APWeb/WAIM'07 Proceedings of the joint 9th Asia-Pacific web and 8th international conference on web-age information management conference on Advances in data and web management
Mining dynamic association rules with comments
Knowledge and Information Systems
On-line rule matching for event prediction
The VLDB Journal — The International Journal on Very Large Data Bases
Discovering forward sequences from temporal data
Knowledge-Based Systems
Hi-index | 0.01 |
This paper introduces a new Internet trace technique for generating frequent episode rules to characterize Internet traffic events.These episode rules are used to distinguish anomalous sequences of TCP, UDP, or ICMP connections from normal traffic episodes.Fundamental pruning techniques are introduced to reduce the rule search space by 70%.The new detection scheme was tested over real-life Internet trace data at USC. Our anomaly detection scheme results in asuccess rate of 47% for DoS, R2L, and port-scanning attacks.These results demonstrate an average of 51% improvement over the use of association rules.We experienced 20 or less false alarms over 200 network attacks in 9 days of tracing experiments.This anomaly detection scheme can be used jointly with signature-based IDS to achieve even higher detection efficiency.