Adaptive intrusion detection: A data mining approach

Tn this paper we describe a data mining framework for constructing intrusio n detection models. The first key idea is to mine system audit data for con sistent: and useful patterns of program and user behavior The other is to u se the set of relevant system features presented in the patterns to compute inductively learned classifiers that can recognize anomalies and known int rusions. In order for the classifiers to be effective intrusion detection m odels, we need to have sufficient audit data for training and also select a set of predictive system features. We propose to use the association rules and frequent episodes computed from audit data as the basis for guiding th e audit data gathering and feature selection processes. We modify these two basic algorithms to use axis attribute(s) and reference attribute(s) as fo rms of item constraints to compute only the relevant patterns. In addition, we use an iterative level-wise approximate mining procedure to uncover the low frequency but important patterns. We use meta-learning as a mechanism to make intrusion detection models more effective and adaptive. We report o ur extensive experiments in using our framework on real-world audit data.