Abstract
This paper presents a sequential pattern mining algorithm for misuse intrusion detection, which can be used to detect application layer attack. The algorithm can distinguish the order of attack behavior, and overcome the limitation of Wenke Lee’s method, which performs statistical analysis against intrusion behavior at the network layer with frequent episode algorithm. The algorithm belongs to behavior analysis technique based on protocol analysis. The preprocessed data of the algorithm are application layer connection records extracted from DARPA’s tcpdump data by protocol analysis tools. We use vertical item-transaction data structure in the algorithm. Compared with AprioriAll algorithm, the complexity of this algorithm is decreased greatly. Using this algorithm, we dig out an “intrusion-only” itemset sequential pattern, which is different from normal user command sequential pattern. Experiments indicate that our algorithm describes attacks more accurately, and it can detect those attacks whose features appear only once. Our presentation offers a new approach for the research of misuse intrusion detection.
This work was supported by 863 items No.2003AA142080 and No.2003AA142010.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Malan, G.R., Jahanian, F.: An extensible probe architecture for network protocol performance measurement. In: Proceedings of SIGCOMM, Vancouver, British Columbia, Canada, pp. 215–227 (1998)
VernPaxson. Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Lee, W.: A Data Mining Framework for Constructing Feature and Model for Intrusion Detection System. [D]In the Graduate School of Arts and Sciences, Columbia University (1999)
Yi-Feng, L.: Research of Distributing intrusion detection system, [D]In University of Science and Technology of China, China (May 2002)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. [J] Journal of Computer Security 6, 151–180 (1998)
Ayres, J., Flannick, J., Gehrke, J., Yiu, T.: Sequential pattern mining using a bitmap representation. In: SIGKDD, pp. 429–435 (2002)
DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/IST/ideval/
Yan, W.: The Research and Implementation on The Network Behavior Monitor System Based on The General Finite States Machine, [D] In Paper of the degree of Master in School of Computer Science, National University of Defense Technology, China (May 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Song, SJ., Huang, Z., Hu, HP., Jin, SY. (2004). A Sequential Pattern Mining Algorithm for Misuse Intrusion Detection. In: Jin, H., Pan, Y., Xiao, N., Sun, J. (eds) Grid and Cooperative Computing - GCC 2004 Workshops. GCC 2004. Lecture Notes in Computer Science, vol 3252. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30207-0_57
Download citation
DOI: https://doi.org/10.1007/978-3-540-30207-0_57
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23578-1
Online ISBN: 978-3-540-30207-0
eBook Packages: Springer Book Archive