Mining system audit data: Opportunities and challenges

Intrusion detection is an essential component of computer security mechanis ms. It requires accurate and efficient analysis of a large amount of system and network audit data. It can thus be an application area of data mining. There are several characteristics of audit data: abundant raw data, rich s ystem and network semantics, and ever "streaming". Accordingly, when develo ping data mining approaches, we need to focus on: feature extraction and co nstruction, customization of (general) algorithms according to semantic inf ormation, and optimization of execution efficiency of the output models. In this paper, we describe a data mining framework for mining audit data for intrusion detection models. We discuss its advantages and limitations, and outline the open research problems.