| Intrusion detection is an essential component of information security assurance infrastructure mechanisms. The traditional process of building Intrusion Detection Systems (IDS) is very slow, and expensive to update. Current IDSs thus have limited effectivity and extensibility in the face of rapid changed and updated network configurations, and poor adaptability in the face of new attack methods.This thesis describes a method of building model for intrusion detection which is based on data mining technology. Classfication rules are inductively learned from audit records and used as intrusion detection models. A critical requirement for the rules to be effective detection models is that a set of appropriate features needs to be first constructed and include in audit records. A key contribution of the thesis is thus in automatic "feature construction". Using this method, raw audit data is first preprocessed into records with a set of basic features. Data mining algorithms are then applied to compute the frequent patterns from records, whitch are automatically analyzed to generate an additional set of features for intrusion detection purposes.We introduce several extensions, namely, axis attribute(s), reference attribute(s), level-wise approximate mining, and minng with relative support, to the basic association rules and frequent episodes algorithms. The extended aogorithms use the charactereatics of the audit data to direct the efficient computation of "relevant" patterns. We develop an simple encoding algorithm so that frequent patterns can be easily analyzed, and compared. We devise an algorithm that antomatically constructs temporal and statistical features according to the semantics of the patterns.In the end, the effectiveness of this method is evaluated in an experiment.
|
PDF Full Text Request