Fang Jinhe,Feng Yan,Wang Ruijie

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.18.048

2006-01-01

Abstract:After discussing the constraints of current intrusion detection systems(IDS),we issue two problems should be considered in developing an adaptive IDS,one is to select the time to update the normal profile and the other is to select a mechanism to update the profile.To resolve the first problem,we calculate the similarity between the incremental audit data and the normal profile and then decide whether to and when to update the profile.To resolve the second problem,we employ a sliding window approach and use only the audit data inside that sliding window to update the profile.The window therefore acts to filter out outdated audit data and to build a profile based on only recent data that reflects the recent system activities.

Wu Liu,Jian-Ping Wu,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11540007_96

2006-01-01

Abstract:In this paper, we apply data mining techniques to construct intrusion detection patterns. We mine both system audit data and network traffic data for consistent and useful patterns of program and user behavior, and use an iterative low-frequency-finder mining algorithm to find the low frequency but important patterns.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

杨向荣,宋擒豹,沈钧毅

DOI: https://doi.org/10.3321/j.issn:0253-987X.2002.02.016

2002-01-01

Abstract:An efficient method based on data mining is presented for detecting network intrusion. According to this method, user's behavior patterns are mined from IP packets, and used to build user's behavior rules base automatically. By comparing similarity, the new method can be used to detect known and unknown network attacks in real-time. The user's behavior patterns mining algorithm IDSPADE is described in detail, which is the most important part of DMIDS. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing systems by using the pure knowledge engineering approaches, the algorithm is more intelligent and adaptive.

杨建华,蒋玉明,彭轮

DOI: https://doi.org/10.3969/j.issn.1008-0570.2009.24.011

2009-01-01

Abstract:In this paper an intrusion detection system based on data mining is proposed,and its main idea is to apply data mining methods to learn rules that can capture normal and intrusion activities from pre-processed audit data that contain network connection information. Put forward a method to improve the Apriori algorithm,whose I/O is quite surprising when scanning the database. To improve the method is feasible;the normal rules in the knowledge database in IDS are mined. And the experiment indicates that the model can produce new rules,which approve the validity and the feasibility of the IDS.

蒋嶷川,田盛丰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.01.061

2002-01-01

Abstract:IDS (Intrusion Detection System) is a tool to detect the network intrusion actions. The key of IDS is the accuracy of the security mode rules. In network system there is a large amount of log audit data which contain much information related to security. So IDS can extract security mode rules from the log audit data. However, as the amount of the log audit date is too large, we can apply data mining technology into security mode rule extraction. This paper studies how to make data mining to system log audit information in IDS, provides the whole steps, and stresses using axis attribute to make character extraction to log audit information.

宋世杰,胡华平,胡笑蕾

DOI: https://doi.org/10.3969/j.issn.1671-1742.2004.01.001

2004-01-01

Abstract:The purpose of the data mining is to find out the relativity from a large number of data. The application of the association rules algorithm and the sequence patterns algorithm to IDS is presented and the process of mining frequency patterns from the raw audit data with the extended apriori association rules and the GSP sequence patterns algorithm combined is introduced. Finally the application is realized.

张博,李伟华,布日古德

DOI: https://doi.org/10.3969/j.issn.1671-654X.2004.04.038

2004-01-01

Abstract:For the developed of knowledge discover and other relative technology, the date mining has been a focus in these days. This technology is very effective on building in signature and models in the Intrusion Detection System (IDS). To deal with the lots of Intrusion, we build the signature database and signature association combing with the concept of the association rules of date mining and enhance the network security through audit.

Guojun Mao,Xindong Wu,Xuxian Jiang

DOI: https://doi.org/10.1080/18756891.2012.670519

2012-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. This paper proposes two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP) for intrusion detection. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to find out quickly frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

Jianjun Zhang,Youlin Ruan,Qinghua Li,ShiDa Yang

DOI: https://doi.org/10.1109/ICMLC.2004.1380613

2004-01-01

Abstract:Since many current IDSs are constructed by manual encoding of expert knowledge, updating of IDSs are expensive and slow. It is very clear that the frequent patterns mined from audit data can be used as reliable intrusion detection models. We propose efficiently parallel methods to extract an extensive set of features that describe each network connection and learn frequent patterns that accurately capture the behavior of intrusions and normal activities, which are employed to facilitate model construction and incremental updates.

WANG Qian,TANG Rui

DOI: https://doi.org/10.3969/j.issn.1001-3695.2013.04.067

2013-01-01

Abstract:Given the high dimension of network security data,traditional stray point tests cannot detect the details of intrusion behavior in network data.This essay aimed to put forward a frequent-pattern-based algorithm.To be specific the abnormal attribute of each record could be detected by detecting the frequent patterns and association rules of the data and stripping data flow or security log data of the noises and abnormal points.Based on the calculation of weighted frequent-pattern factor of the security data,accurate positioning of outliers and the automatic screening out of abnormal properties,the experiments show that this method can effectively detect the abnormal attributes in high dimensions in less space complexity.

Yu-Xin Ding,Hai-Sen Wang,Qing-Wei Liu

DOI: https://doi.org/10.1109/icmlc.2008.4620604

2008-01-01

Abstract:Traditional intrusion detection systems focus on low-level attacks, and only generate isolated alerts. They can't rind logical relations among alerts. In addition, IDS's accuracy is low, a lot of alerts are false alerts. So it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. To solve this problem different intrusion scenario detection methods are proposed. In this paper a data mining method is used to find the attack scenarios. Firstly redundancy alerts are checked and deleted, then attack scenario patterns are mined by using the associate-rule algorithms which is an improved Apriori algorithm. These mined scenario patterns are used to rind attack scenarios. In (his paper 1999 DARPA intrusion detection scenario specific datasets are used as the experimental data and the corresponding results are shown. Compared with current scenario detection methods which depend on human knowledge to define attack scenarios, our methods use data mining method to find the scenarios automatically. Our experimental results demonstrate the potential of the proposed method.

Wu Liu,wang jianping,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11538059_45

2005-01-01

Abstract:In this paper, we aim to develop a systematic framework to semi-automate the process of system logs and databases of intrusion detection systems (IDS). We use both Ef-attribute based mining and Es-attribute based mining to mine effective and essential attributes (hence interesting patterns) from the vast and miscellaneous system logs and IDS databases.

Sj Song,Zg Huang,Hp Hu,Sy Jin

DOI: https://doi.org/10.1007/978-3-540-30207-0_57

2004-01-01

Abstract:This paper presents a sequential pattern mining algorithm for misuse intrusion detection, which can be used to detect application layer attack. The algorithm can distinguish the order of attack behavior, and overcome the limitation of Wenke Lee's method, which performs statistical analysis against intrusion behavior at the network layer with frequent episode algorithm. The algorithm belongs to behavior analysis technique based on protocol analysis. The preprocessed data of the algorithm are application layer connection records extracted from DARPA's tcpdump data by protocol analysis tools. We use vertical item-transaction data structure in the algorithm. Compared with AprioriAll algorithm, the complexity of this algorithm is decreased greatly. Using this algorithm, we dig out an "intrusion-only" itemset sequential pattern, which is different from normal user command sequential pattern. Experiments indicate that our algorithm describes attacks more accurately, and it can detect those attacks whose features appear only once. Our presentation offers a new approach for the research of misuse intrusion detection.

宋世杰,胡华平,胡笑蕾,金士尧

2003-01-01

Abstract:The key issue of anomaly NIDS is building normal patterns, comparing current system or user behaviors with history behaviors, and then detecting intrusion. We introduced some data mining algorithms, presentd a classification method of IDS based on data mining, and described the process of data mining application in anomaly NIDS from network layer and application layer. We proposed three methods of pattern comparison in detail, and verified that the obtained normal audit data is enough for network layer anomaly NIDS.'

Cai Wan

2003-01-01

Computer Science

Abstract:Intrusion Detection System (IDS) is an important network security technique. It can dynamic detect the network attack behaviors. At present, great issues for IDS are incapable of detecting the unknown malicious attack behaviors. So that, some new detection techniques are presented,data mining-based detection technique is an effective method in them. In this paper, data mining-based detection method and its key techniques are discussed in detail.

Xr Yang,Qb Song,Jy Shen

2001-01-01

Abstract:In this paper we present a frequent sequence patterns mining-based algorithm used for network intrusion detection, which is an application and extension of SPADE algorithm. It is based on the idea that much behavior on the network appear as sequences of activities, according to the sequence patterns we computed, we can construct the intrusion rule base and legal action rule base, then we can detect known and novel intrusion activities by rules' matching. In addition, when system is running, we use an incremental sequence patterns mining algorithm to complement the rule library in order to avoid re-executing the algorithm on the entire dataset, thereby reducing execution time. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing methods used in commercial systems which are built using purely knowledge engineering approaches, our algorithm is more intelligent and adaptive.

牛建强,曹元大

DOI: https://doi.org/10.3969/j.issn.1001-3695.2003.09.027

2003-01-01

Abstract:Obviously the analysis to log data is an important and valuable link in the whole security model.In the paper,we apply the approach of data mining to log analysis system of IDS,and especially solve the problem of intrusion model's drawing and classifier's constructing in the system,which also does solve the automatic process of log analyses.

吕锡香,杨波,裴昌幸,苏晓龙

DOI: https://doi.org/10.3969/j.issn.1001-2400.2004.04.020

2004-01-01

Journal of Xidian University

Abstract:We discuss our research in developing the detection engine of the intrusion detection system. The key ideas are to combine the slide window into the data mining technique to design the base detection engine which is the essential share of the meta detection engine. In addition, Apriori, a kind of data mining algorithm, is improved to mine network data. The improved algorithm does not scan all items in database and only links the items in the same list, so the detection efficiency is improved greatly. Also, other key details in IDS are put forward.

Jh Sun,H Jin,H Chen,Zf Han,Dq Zou

DOI: https://doi.org/10.1007/978-3-540-45080-1_91

2003-01-01

Abstract:Intrusion Detection Systems (IDSs) have become a critical part of security systems. The goal of an intrusion detection system is to block intrusion effectively and accurately. However, the performance of IDS is not satisfying. In this paper, we study the issue of building a data mining based intrusion detection model to raise the detection performance. The key ideas are to use data mining techniques to discover consistent and useful patterns for intrusion and use the set of patterns to recognize intrusion. By applying statistics inference theory to this model, the patterns mined from a set of test data are effective to detect the attacks in the same category, and therefore can detect most novel attacks that are variants of known attacks.