论文信息 - Mining in a data-flow environment: experience in network intrusion detection

Mining in a data-flow environment: experience in network intrusion detection

We discuss the KDD process in “data-flow” environments, where unstructured and time dependent data can be processed into various levels of structured and semanticallyrich forms for analysis tasks. Using network intrusion detection as a concrete application example, we describe how to construct models that are both acczLrate in describing the underlying concepts, and efficient when used to analyze data in real-time. We present procedures for analyzing frequent patterns from lower level data and constructing appropriate features to formulate higher level data. The features generated from various levels of data have different computational costs (in time and space). We show that in order to minimize the time required in using the classification models in a real-time environment, we can exploit the “necessary conditions” associated with the lowcost features to determine whether some high-cost features need to be computed and the corresponding classification rules need to be checked. We have applied our tools to the problem of building network intrusion detection models. We report our experiments using the network data provided as part of the 1998 DARPA Intrusion Detection Evaluation program. We also discuss our experience in using the mined models in NFR, a real-time network intrusion detection system.

[1] Heikki Mannila,et al. Discovering Frequent Episodes in Sequences , 1995, KDD.

[2] Salvatore J. Stolfo,et al. A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[3] Tomasz Imielinski,et al. Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[4] Gregory Piatetsky-Shapiro,et al. The KDD process for extracting useful knowledge from volumes of data , 1996, CACM.

[5] Salvatore J. Stolfo,et al. Mining Audit Data to Build Intrusion Detection Models , 1998, KDD.

[6] Roger M. Needham,et al. Denial of service , 1993, CCS '93.

[7] Salvatore J. Stolfo,et al. Toward parallel and distributed learning by meta-learning , 1993 .

[8] Elizabeth Hatfield Schnabel. Order of Importance , 1956 .

[9] Haym Hirsh,et al. 3.2 Stage 2: Inter-feature Extrapolation towards a Bootstrapping Approach to Constructive Induction , 1994 .

[10] William W. Cohen. Fast Effective Rule Induction , 1995, ICML.

[11] Peter D. Turney. Cost-Sensitive Classification: Empirical Evaluation of a Hybrid Genetic Decision Tree Induction Algorithm , 1994, J. Artif. Intell. Res..