icdm03

icdm03 - Learning Rules for Anomaly Detection of Hostile...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Department of Computer Sciences Florida Institute of Technology Melbourne, FL 32901 {mmahoney,pkc}@cs.fit.edu Abstract We introduce an algorithm called LERAD that learns rules for finding rare events in nominal time-series data with long range dependencies. We use LERAD to find anomalies in network packets and TCP sessions to detect novel intrusions. We evaluated LERAD on the 1999 DARPA/Lincoln Laboratory intrusion detection evaluation data set and on traffic collected in a university departmental server environment. 1. Introduction and Related Work An important component of computer security is intrusion detection--knowing whether a system has been compromised or if an attack is occurring. Hostile activity can sometimes be inferred by examining inbound network traffic, operating system events, or changes to the file system, either for patterns signaling known attacks (signature detection), or for unusual events signaling possible novel attacks (anomaly detection). Anomaly detection has the advantage that it can sometimes detect previously unknown attacks, but has the disadvantage that it issues false alarms, because unusual events are not always hostile. Often both approaches are used. For example, a virus detector might scan files for strings signaling known viruses, and might also test for modifications of executable files as indications of possible new viruses. Network anomaly detection is a particularly difficult problem because higher level (application) protocols are complex and difficult to model, and because data must be processed at high speed. A common approach is to use a firewall with rules programmed by a network administrator to block and/or log packets based on lower level features such as IP addresses and port numbers. This technique can detect or block port scans and unauthorized access to private services (e.g. ssh ) from untrusted clients. However, detection of attacks on public services such as HTTP (web), SMTP (email), and DNS (host name lookup) currently rely on signature detection systems such as SNORT [10] or Bro [8] to scan for strings signaling known attacks. The rule set is quite large (SNORT has over 1800) and must be updated frequently. This would not be an effective defense against novel attacks or fast spreading worms. Network anomaly detection systems such as ADAM [2], SPADE [3], and eBayes [11], use machine learning approaches to model normal network traffic in order to identify unusual events as suspicious, but they model low-level (firewall-like) features such as addresses and port numbers, rather than application protocols. We introduce an efficient, randomized algorithm called LERAD (Learning Rules for Anomaly Detection), which can discover relationships among attributes in order to model application protocols. LERAD differs from association mining approaches such as APRIORI [1] in that it finds enough rules with a small set of allowed values in the consequent to describe the data, rather than
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 4

icdm03 - Learning Rules for Anomaly Detection of Hostile...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online