In Network-based Intrusion Detection, signatures discovery is an important issue, since the performance of an intrusion detection system heavily depends on accuracy and abundance of signatures. In most cases, we have to find these signatures manually. This is a time-consuming and error-prone work. Some papers introduce data mining into Intrusion Detection System. However, there are some drawbacks in these schemes. We present a data mining based approach to supporting signature discovery in network-based Intrusion Detection System. It has people find signatures of an intrusion easily. The main idea is that: First, Signature Discovery System (SDS) tries to find the most possible signatures that occur very frequently in the communication monitored. Second, SDS will find the relationships between these candidate signatures and construct rules based on these relationships found. Finally, SDS gives two kinds of hints: one is the signatures whose frequency of occurrence is greater than a threshold; the other is a set of rules composed of a set of signatures that are created by SDS in the second step. An experimental system called SigSniffer has been implemented to test the feasibility of the proposed approach.
[1]
William L. Fithen,et al.
State of the Practice of Intrusion Detection Technologies
,
2000
.
[2]
Ramakrishnan Srikant,et al.
Fast Algorithms for Mining Association Rules in Large Databases
,
1994,
VLDB.
[3]
Martin Roesch,et al.
Snort - Lightweight Intrusion Detection for Networks
,
1999
.
[4]
Salvatore J. Stolfo,et al.
Data Mining Approaches for Intrusion Detection
,
1998,
USENIX Security Symposium.
[5]
Vern Paxson,et al.
Bro: a system for detecting network intruders in real-time
,
1998,
Comput. Networks.
[6]
Rakesh Agarwal,et al.
Fast Algorithms for Mining Association Rules
,
1994,
VLDB 1994.
[7]
E. Bloedorn,et al.
Data mining for network intrusion detection : How to get started
,
2001
.