Weighting versus pruning in rule validation for detecting network and host anomalies

Authors:
Gaurav Tandon;Philip K. Chan
Affiliations:
Florida Institute of Technology;Florida Institute of Technology
Venue:
Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining
Year:
2007

Citing 18
Cited 2

The weighted majority algorithm

Information and Computation
Wide area traffic: the failure of Poisson modeling

IEEE/ACM Transactions on Networking (TON)
Empirical Support for Winnow and Weighted-MajorityAlgorithms: Results on a Calendar Scheduling Domain

Machine Learning
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Service specific anomaly detection for network intrusion detection

Proceedings of the 2002 ACM symposium on Applied computing
Practical automated detection of stealthy portscans

Journal of Computer Security
Learning Quickly When Irrelevant Attributes Abound: A New Linear-Threshold Algorithm

Machine Learning
Fast Algorithms for Mining Association Rules in Large Databases

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Anomaly Detection Using Call Stack Information

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Learning Rules for Anomaly Detection of Hostile Network Traffic

ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Anomalous system call detection

ACM Transactions on Information and System Security (TISSEC)
Dataflow Anomaly Detection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
On gray-box program tracking for anomaly detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
A study in using neural networks for anomaly and misuse detection

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Anomaly detection: A survey

ACM Computing Surveys (CSUR)
Anomaly detection in categorical datasets using bayesian networks

AICI'11 Proceedings of the Third international conference on Artificial intelligence and computational intelligence - Volume Part II

Quantified Score

Hi-index	0.00

Visualization

Abstract

For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose to retain these rules and associate weights to them. We present three weighting schemes and our empirical results indicate that, for LERAD, rule weighting can detect more attacks than pruning with minimal computational overhead.