[信息与通信]A Framework for Constructing Features and Models for Intrusion Detection Systems入侵检测.pdfVIP

A Framework for Constructing Features and Models for Intrusion Detection Systems WENKE LEE Georgia Institute of Technology and SALVATORE J. STOLFO Columbia University Intrusion detection (ID) is an important component of infrastructure protection mechanisms. Intrusion detection systems (IDSs) need to be accurate, adaptive, and extensible. Given these requirements and the complexities of today’s network environments, we need a more system- atic and automated IDS development process rather than the pure knowledge encoding and engineering approaches. This article describes a novel framework, MADAM ID, for Mining Audit Data for Automated Models for Intrusion Detection. This framework uses data mining algorithms to compute activity patterns from system audit data and extracts predictive features from the patterns. It then applies machine learning algorithms to the audit records that are processed according to the feature definitions to generate intrusion detection rules. Results from the 1998 DARPA Intrusion Detection Evaluation showed that our ID model was one of the best performing of all the participating systems. We also briefly discuss our experience in converting the detection models produced by off-line data mining programs to real-time modules of existing IDSs. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: Gener- al—Security and protection (e.g., firewalls); C.2.3 [Computer-Communication Networks]: Network Operations—Network monitoring ; D.4.6 [Operating Systems]: Security and Protec- tion; H.2.8 [Database Management]: Database applications—Data mining ; I.2.6 [Artificial Intelligence]: Learning—Concept learning General Terms: Design, Experimentation, Security Additional Key Words and Phrases: Data mining, feature construction, intrusion detection This article is based on the authors’ published papers in the Proceedings of