Open Access  Subscription or Fee Access

A new Internet traffic data mining technique presented for generating frequent episode rules (FER)[1]. Adaptive base-support threshold is applied to different axis attributes in these rules. We use the rules to build anomaly-based, network intrusion detection systems (NIDS)[2]. The episode rules detect anomalous sequences of TCP [3], UDP [4], or ICMP [5] connections. Three new pruning techniques are devised to reduce the rule search space by 70% in our bench mark experiments. Testing our scheme over real-life Internet trace data collected at USC mixed with 10 days of MIT/LL attack data, we encountered 20 or less false alarms over 200 network attacks. We detect with a success rate of 47% of all unknown network attacks. These results show a 51%improvement over the NIDS built with association rules, exclusively.

Network Security, Intrusion Detection Systems, Anomaly Detection, Internet Traffic Analysis, Frequent Episode Rules, False Alarms and Adaptive Data Mining.

D. Barbara, J. Couto, S. Jajodia, L. Popyack, and N. Wu, “ADAM: Detecting Intrusions by Data Mining,” Proc. IEEE Workshop Information Assurance and Security, 2001.[2] D.J. Burroughs, L.F. Wilson, and G.V. Cybenko, “Analysis of Distributed Intrusion Detection

Systems Using Bayesian Methods Performance,” Proc. IEEE Int’l Computing and Comm. Conf., pp. 329-334, 2002.

K.S. Killourhy and R.A. Maxion, “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits,” Proc.Int’l Symp. Recent Advances in Intrusion Detection (RAID ’02),pp. 54-73, Sept. 2002.

F. Tao, F. Murtagh, and M. Farid, “Weighted Association Rule Mining Using Weighted Support and Significance Framework,” Proc. Ninth ACM Int’l Conf. Knowledge Discovery and Data Mining (SIGKDD), pp. 661-666, 2003.