Agent-oriented network intrusion detection system using data mining approaches

Most of the existing commercial Network Intrusion Detection System (NIDS) products are signature-based but not adaptive. In this paper, an adaptive NIDS using data mining technology is developed. Data mining approaches are used to accurately capture the actual behaviour of network traffic, and the portfolio mined is useful for differentiating 'normal' and 'attack' traffics. On the other hand, most of the current researches use only one engine for detection of various attacks; the proposed system, which is constructed by a number of agents, is totally different in both training and detecting processes. Each of the agents has its own strength in capturing a kind of network behaviour and hence the system has strength in detecting different types of attack. In addition, its ability in detecting new types of attack and its higher tolerance to fluctuations were shown. The experimental results showed that the frequent patterns mined from the audit data could be used as reliable agents, which outperformed the traditional signature-based NIDS.

[1]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[2]  Chung-Leung Lui,et al.  Discovery of Generalized Association Rules with Multiple Minimum Supports , 2000, PKDD.

[3]  Heikki Mannila,et al.  Discovery of Frequent Episodes in Event Sequences , 1997, Data Mining and Knowledge Discovery.

[4]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[5]  Mikhail Petrovskiy,et al.  Outlier Detection Algorithms in Data Mining Systems , 2003, Programming and Computer Software.

[6]  Salvatore J. Stolfo,et al.  Mining Audit Data to Build Intrusion Detection Models , 1998, KDD.

[7]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[8]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[9]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[10]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[11]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[12]  Jun Lu,et al.  Data mining aided signature discovery in network-based intrusion detection system , 2002, OPSR.

[13]  Raman K. Mehra,et al.  Detection and classification of intrusions and faults using sequences of system calls , 2001, SGMD.

[14]  Ramakrishnan Srikant,et al.  Mining sequential patterns , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[15]  Salvatore J. Stolfo,et al.  Mining in a data-flow environment: experience in network intrusion detection , 1999, KDD '99.

[16]  Ramakrishnan Srikant,et al.  Mining generalized association rules , 1995, Future Gener. Comput. Syst..