The need for intrusion detection systems that are able to monitor large amounts of audit trail data, detect intrusions quickly, and generate few false alarms is pressing. This work introduces a network anomaly detection system, Audit Data Analysis and Mining (ADAM), which uses a novel application of association rules and classification techniques to detect attacks using the network audit trail data. ADAM is able to detect network intrusions in real time with very low false alarm rate. One of its strongest contributions is the ability to detect novel attacks without dependency on the training data of attacks, due to a novel application of the pseudo-Bayes estimators technique. |