A framework for constructing features and models for intrusion detection systems

Lee, Wenke; Stolfo, Salvatore J.

doi:10.1145/382912.382914

Cited by 723 publications

(422 citation statements)

References 14 publications

Supporting

Mentioning

413

Contrasting

Unclassified

Order By: Relevance

“…A RIPPER classifier method was suggested (Lee and Stolfo, 2001;Lee et al, 2002) to induce rules from the data by employing a divide-andconquer approach and involving either discarding or pruning some of the learnt rules is carried out to increase the classifier accuracy. RIPPER classifier has been successfully used in data mining based anomaly detection algorithms to classify incoming audit data and detect intrusions.…”

Section: Classification-based Anomaly Detectionmentioning

confidence: 99%

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

Kakavand

Mustapha

Abdullah

et al. 2015

Journal of Computer Science

View full text Add to dashboard Cite

Abstract:In contrast to traditional Intrusion Detection Systems (IDSs), data mining anomaly detection methods/techniques has been widely used in the domain of network traffic data for intrusion detection and cyber threat. Data mining is widely recognized as popular and important intelligent and automatic tools to assist humans in big data security analysis and anomaly detection over IDSs. In this study we discuss our review in data mining anomaly detection methods for HTTP web services. Today, many online careers and actions including online shopping and banking are running through web-services. Consequently, the role of Hypertext Transfer Protocol (HTTP) in web services is crucial, since it is the standard facilitator for communication protocol. Hence, among the intruders that bound attacks, HTTP is being considered as a vital middle objective. In the recent years, an effective system that has attracted the attention of the researchers is the anomaly detection which is based on data mining methods. We provided an overview on four general data mining techniques such as classification, clustering, semi-supervised and association rule mining. These data mining anomaly detection methods can be used to computing intelligent HTTP request data, which are necessary in describing user behavior. To meet the challenges of data mining techniques, we provide challenges and issues section for intrusion detection systems in HTTP web services.

show abstract

Section: Classification-based Anomaly Detectionmentioning

confidence: 99%

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

Kakavand

Mustapha

Abdullah

et al. 2015

Journal of Computer Science

View full text Add to dashboard Cite

show abstract

“…Lee and Stolfo [18] first proposed a framework of using data mining algorithms to extract features of audit records and processing these records by means of machine learning algorithms. Then, machine learning algorithms have become epidemic in reducing the false alarms.…”

Section: Background and Related Workmentioning

confidence: 99%

Enhancing False Alarm Reduction Using Voted Ensemble Selection in Intrusion Detection

Meng¹,

Kwok²

2013

IJCIS

View full text Add to dashboard Cite

Network intrusion detection systems (NIDSs) have become an indispensable component for the current network security infrastructure. However, a large number of alarms especially false alarms are a big problem for these systems which greatly lowers the effectiveness of NIDSs and causes heavier analysis workload. To address this problem, a lot of intelligent methods (e.g., machine learning algorithms) have been proposed to reduce the number of false alarms, but it is hard to determine which one is the best. We argue that the performance of different machine learning algorithms is very fluctuant with regard to distinct contexts (e.g., training data). In this paper, we propose an architecture of intelligent false alarm filter by employing a method of voted ensemble selection aiming to maintain the accuracy of false alarm reduction. In particular, there are four components in the architecture: data standardization, data storage, voted ensemble selection and alarm filtration. In the experiment, we conduct a study involved three machine learning algorithms such as support vector machine, decision tree and k-nearest neighbor, and use Snort, which is an open source signature-based NIDS, to explore the effectiveness of our proposed architecture. The experimental results show that our intelligent false alarm filter is effective and encouraging to maintain the performance of reducing false alarms at a high and stable level.

show abstract

“…Misuse detection models the patterns of known attacks or vulnerabilities, and identifies actions that conform to such patterns as attacks. Existing approaches include rule-based methods (e.g., ASAX [26], P-BEST [25]), state transition based methods [5], [14], and data mining approaches [22], [23]. Most of these techniques cannot be directly applied to sensor networks due to the resource constraints on sensor nodes.…”

Section: Intrusion Detectionmentioning

confidence: 99%

LAD: Localization anomaly detection for wireless sensor networks

Fang

Ningi

2006

Journal of Parallel and Distributed Computing

134

130

View full text Add to dashboard Cite

Abstract-In wireless sensor networks (WSNs), sensors' locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes.Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore.In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises.

show abstract

A framework for constructing features and models for intrusion detection systems

Cited by 723 publications

References 14 publications

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

A Survey of Anomaly Detection Using Data Mining Methods for Hypertext Transfer Protocol Web Services

Enhancing False Alarm Reduction Using Voted Ensemble Selection in Intrusion Detection

LAD: Localization anomaly detection for wireless sensor networks

Contact Info

Product

Resources

About