论文信息 - Improving Intrusion Detection Performance using Keyword Selection and Neural Networks

Improving Intrusion Detection Performance using Keyword Selection and Neural Networks

Abstract The most common computer intrusion detection systems detect signatures of known attacks by searching for attack-specific keywords in network traffic. Many of these systems suffer from high false-alarm rates (often hundreds of false alarms per day) and poor detection of new attacks. Poor performance can be improved using a combination of discriminative training and generic keywords. Generic keywords are selected to detect attack preparations, the actual break-in, and actions after the break-in. Discriminative training weights keyword counts to discriminate between the few attack sessions where keywords are known to occur and the many normal sessions where keywords may occur in other contexts. This approach was used to improve the baseline keyword intrusion detection system used to detect user-to-root attacks in the 1998 DARPA Intrusion Detection Evaluation. It reduced the false-alarm rate required to obtain 80% correct detections by two orders of magnitude to roughly one false alarm per day. The improved keyword system detects new as well as old attacks in this database and has roughly the same computation requirements as the original baseline system. Both generic keywords and discriminant training were required to obtain this large performance improvement.

Robert K. Cunningham | Richard Lippmann | R. Lippmann | R. Cunningham

[1] Robert K. Cunningham,et al. Evaluating Intrusion Detection Systems Without Attacking Your Friends: The 1998 DARPA Intrusion Detection Evaluation , 1999 .

[2] E. Amoroso. Intrusion Detection , 1999 .

[3] R.K. Cunningham,et al. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[4] Richard Lippmann,et al. The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[5] Salvatore J. Stolfo,et al. Mining in a data-flow environment: experience in network intrusion detection , 1999, KDD '99.

[6] William L. Fithen,et al. State of the Practice of Intrusion Detection Technologies , 2000 .

[7] Richard P. Lippmann,et al. LNKnet: Neural Network, Machine-Learning, and Statistical Software for Pattern Classification , 1993 .

[8] BishopMatt,et al. The threat from the net , 1997 .

[9] Peter G. Neumann,et al. Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[10] Steven Cheung,et al. The threat from the net [Internet security] , 1997 .

[11] John McHugh,et al. Defending Yourself: The Role of Intrusion Detection Systems , 2000, IEEE Software.

[12] Thomas Henry Ptacek,et al. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .