Enhancing Profiles for Anomaly Detection Using Time Granularities

Recently, association rules have been used to generate profiles of "normal" behavior for anomaly detection. However, the time factor (especially in terms of multiple time granularities) has not been utilized extensively in generation of these profiles. In reality, user behavior during different time intervals may be very different. For example, the "normal" number and duration of FTP connections may vary from working hours to midnight, from business day to weekend or holiday. Furthermore, these variations may depend on the day of the month or the week. This paper proposes to build profiles using temporal association rules in terms of multiple time granularities, and describes algorithms to discover these profiles. Because multiple time granularities are used for the profile generation, the proposed method is more flexible and precise than previous methods that use fixed partition of time intervals. Finally, the paper describes an experiment and its preliminary result on TCP-dump data.

[1]  Arun N. Swami,et al.  Set-oriented mining for association rules in relational databases , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[2]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Shamkant B. Navathe,et al.  An Efficient Algorithm for Mining Association Rules in Large Databases , 1995, VLDB.

[4]  Carla E. Brodley,et al.  Approaches to Online Learning and Concept Drift for User Identification in Computer Security , 1998, KDD.

[5]  Jiawei Han,et al.  Discovery of Multiple-Level Association Rules from Large Databases , 1995, VLDB.

[6]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[7]  Sushil Jajodia,et al.  Time Granularities in Databases, Data Mining, and Temporal Reasoning , 2000, Springer Berlin Heidelberg.

[8]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[9]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[10]  Xiaodong Chen,et al.  Mining Temporal Features in Association Rules , 1999, PKDD.

[11]  Sridhar Ramaswamy,et al.  On the Discovery of Interesting Patterns in Association Rules , 1998, VLDB.

[12]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[13]  John F. Roddick,et al.  Adding Temporal Semantics to Association Rules , 1999, PKDD.

[14]  Salvatore J. Stolfo,et al.  Mining Audit Data to Build Intrusion Detection Models , 1998, KDD.

[15]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[16]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[17]  Sridhar Ramaswamy,et al.  Cyclic association rules , 1998, Proceedings 14th International Conference on Data Engineering.

[18]  Anup K. Ghosh,et al.  A Study in Using Neural Networks for Anomaly and Misuse Detection , 1999, USENIX Security Symposium.

[19]  Sushil Jajodia,et al.  Temporal modules , 1993, Inf. Sci..

[20]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.

[21]  David Forster,et al.  A Representation for Collections of Temporal Intervals , 1986, AAAI.

[22]  Ramakrishnan Srikant,et al.  Mining Sequential Patterns: Generalizations and Performance Improvements , 1996, EDBT.

[23]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[24]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[25]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.