Skip to main content
SpringerLink
Log in

Proactive Intrusion Detection

A Study on Temporal Data Mining

  • Chapter
Applications of Data Mining in Computer Security

Part of the book series: Advances in Information Security ((ADIS,volume 6))

  • 610 Accesses

Abstract

This chapter describes a principled approach for discovering precursors to security violations in databases recorded from multiple domains in networked information systems. These precursors can be used by security analysts to better understand the evolution of complex computer attacks, and also to trigger alarms indicating that an attack is imminent. We call Proactive Intrusion Detection the utilization of these temporal rules as part of an overall Information Assurance Infrastructure, including Prevention, Detection, Response and Tolerance. The approach is rooted in time series quantization, and in the application of the Granger Causality Test of classical statistics for selecting variables that are likely to contain precursors. A methodology is proposed for discovering Precursor Rules from databases containing time series related to different regimes of a system. These Precursor Rules relate precursor events extracted from input time series with phenomenon events extracted from output time series. Given a fixed output time series containing one or more Phenomenon events, it is shown under idealized conditions that the Granger Causality Test is effective for ranking candidate time series according to the likelihood that Precursor Rules exist. Using MIB (Management Information Base) datasets collected from real experiments involving Distributed Denial of Service Attacks, it is shown that Precursor Rules relating activities at attacking machines with traffic floods at target machines can be extracted by the methodology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. R. Agrawal, T. Imielinski, and A. Swami£¬Database Mining: A Performance Perspective.IEEE Transactions on Knowledge and Data Engineering5(6):914–925, December 1993.

    Article  Google Scholar 

  2. J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner. State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI-99-TR-028, Carnegie Mellon University - Software Engineering Institute, January 2000.

    Google Scholar 

  3. S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. InProceedings of the 6th ACM Confer-224ence on Computer and Communications SecuritySingapore, November 1999.

    Google Scholar 

  4. S. Axelsson. Intrusion Detection Systems: A Taxonomy and Survey. Technical Report 99–15, Department of Computer Engineering - Chalmers University of Technology, Sweden, March 2000.

    Google Scholar 

  5. C. Bettini, S. Jajodia, and X. S. Wang.Time Granularities in Databases Data Mining and Temporal Reasoning.Springer-Verlag, Berlin, 2000.

    MATH  Google Scholar 

  6. J. B. D. Cabrera, L. J. Popyack, Jr., L. Lewis, B., Ravichandran and R. K. Mehra. The Monitoring, Detection, Interpretation and Response Paradigm for the Security of Battlespace Networks. InProceedings of IEEE MILCOM 2001Washington, DC, October 2001.

    Google Scholar 

  7. J. B. D. Cabrera, L. Lewis and R. K. Mehra. Detection and Classification of Intrusions and Faults using Sequences of System Calls. In ACM SIGMOD Record Special Issue on Data Mining for Intrusion Detection, Security and Threat Analysis, December 2001.

    Google Scholar 

  8. J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee and R. K. Mehra. Proactive Intrusion Detection of Distributed Denial of Service Attacks - A Case Study in Security Management.Journal of Network and Systems ManagementJune 2002. In Press.

    Google Scholar 

  9. J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra. Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables - A Feasibility Study. InProceedings of the Seventh IFIP/IEEE International Symposium on Integrated Network Managementpages 609--622, Seattle, WA, May 2001.

    Google Scholar 

  10. J. B. D. Cabrera and R. K. Mehra. Extracting Precursor Rules from Time Series - A Classical Statistical Viewpoint. InProceedings of the Second SIAM International Conference on Data MiningArlington, VA, USA, April 2002. In Press.

    Google Scholar 

  11. J. B. D. Cabrera, B. Ravichandran and R. K. Mehra. Statistical Traffic Modeling for Network Intrusion Detection. InProceedings of the Eighth International Symposium on Modeling Analysis and Simulation of Computer and Telecommunications Systemspages 466–473, San Francisco, CA, August 2000. IEEE Computer Society.

    Google Scholar 

  12. G. Casella and R. L. Berger.Statistical Inference.Duxbury Press, Belmont, CA, 1990.

    Google Scholar 

  13. P. J. Criscuolo. Distributed Denial of Service - Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht. TechnicalRe 225 port CIAC-2319, Department of Energy - CIAC (Computer Incident Advisory Capability), February 2000.

    Book  Google Scholar 

  14. G. Das, K.-I. Lin, H. Mannila, G. Renganathan and P. Smyth. Rule discovery from time series. InProceedings of the 4th International Conference on Knowledge Discovery and Data Miningpages 16–22, 1998.

    Google Scholar 

  15. H. Debar, M. Dacier, and A. Wespi. Towards a Taxonomy of Intrusion-Detection Systems.Computer Networks31:805–822, 1999.

    Article  Google Scholar 

  16. D. Denning. An intrusion detection model.IEEE Transactions on Software Engineering13(2):222–232, February 1987.

    Article  Google Scholar 

  17. M. Evans, N. Hastings, and B. Peacock.Statistical Distributions.John Wiley and Sons, Inc., New York, Second edition, 1993.

    Google Scholar 

  18. C. W. J. Granger, Investigating causal relations by econometric models and cross-spectral methods.Econometrica34:424–438, 1969.

    Article  Google Scholar 

  19. J. HamiltonTime Series Analysis.Princeton University Press, 1994.

    Google Scholar 

  20. P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse.IEEE Transactions on Software Engineering19(9):886–901September1993.

    Article  Google Scholar 

  21. H. S. Javitz and A. Valdes, The NIDES statistical component: Description and justification. Technical report, SRI International, March 1993.

    Google Scholar 

  22. T. Kailath.Linear Systems.Prentice-Hall, Inc., 1980.

    MATH  Google Scholar 

  23. S. Kent. On the trail of intrusions into information systems.IEEE Spectrumpages 52–56, December 2000.

    Google Scholar 

  24. C. Ko, Logic induction of valid behavior specifications for intrusion detection. InProceedings of the IEEE Symposium on Security and Privacy2000.

    Google Scholar 

  25. W. Lee.A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems.PhD thesis, Columbia University, June 1999.

    Google Scholar 

  26. W. Lee, S. Stolfo, and K. Mok, Adaptive Intrusion Detection: A Data Mining Approach.Artificial Intelligence Review16(6):533–567, December 2000.

    Article  Google Scholar 

  27. W. Lee and S. J. Stolfo. A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and Systems3(4) November2000.

    Google Scholar 

  28. W. Lee, S. J. Stolfo and P. K. Chan. Learning Patterns from Unix Process Execution Traces for Intrusion Detection. InProceedings of 226 the AAAI Workshop on AI Methods in Fraud and Risk Managementpages50–56July1997.

    Google Scholar 

  29. Y. Li, N. Wu, X. S. Wang and S. Jajodia. Enhancing Profiles for Anomaly Detection Using Time Granularities.Journal of Computer Security 2002.In Press.

    Google Scholar 

  30. L. Ljung.System Identification - Theory for the User.Prentice Hall, Second edition1999.

    Google Scholar 

  31. T.Lunt, Automated audit trail analysis and intrusion detection: A survey. InProceedings of the 11th National Computer Security Conferencepages65-73October1988.

    Google Scholar 

  32. E. Mach. On thought experiments. InKnowledge and Error.Dordrecht:Reidel1976.English translation of the1905German original.

    Google Scholar 

  33. H. Mannila, H. Toivonen and A. I. Verkamo. Discovery of frequent episodes in event sequences.Data Mining and Knowledge Discovery 1(3):259–289 1997.

    Article  Google Scholar 

  34. J. Markoff, U.S drawing plan that will monitor computer systems - Looking for intruders.The New York Times 1999.July28page Al.

    Google Scholar 

  35. R. K. Mukkamala, J. Gagnon and S. Jajodia. Integrating Data Mining Techniques with Intrusion Detection. In V. Atluri and J. Hale, editorsResearch Advances in Database and Information Systems Securitypages33–46.Kluwer Publishers, 2000.

    Google Scholar 

  36. S. NorthcuttNetwork Intrusion Detection - An Analyst’s Handbook.New Riders Publishing1999.

    Google Scholar 

  37. A. Patel and S. O. Ciardhuain. The Impact of Forensics Computing on Telecommunications.IEEE Communications Magazine, pages 6467November 2000.

    Google Scholar 

  38. J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems.Proceedings of the IEEE 63(9):1278–1308 September1975.

    Article  Google Scholar 

  39. F. B. Schneider, editor.Trust in Cyberspace.National Academy Press1998.

    Google Scholar 

  40. B. Schneier.Secrets and Lies: Digital Security in a Networked World.Wiley2000.

    Google Scholar 

  41. E. G. Spafford. Reexamining Intrusion Detection, January1999.Presentation at the University of Virginia, available at CERIAS home-page, Purdue Univ.

    Google Scholar 

  42. W.R. Stevens.TCP/IP Illustrated Volume 1: The Protocols.Addison-Wesley,1994.

    Google Scholar 

  43. R. Stovall. The Play from Pasadena (Super Bowl and the Stocks).Financial World156, 1987. Issue of January 28-February 10, 1987.

    Google Scholar 

  44. J. D. Ullman. Data Mining Lecture Notes. Stanford University, Spring 2000.

    Google Scholar 

  45. P. Uppuluri and R. Sekar, Experiences with Specification-based Intrusion Detection. InRecent Advances in Intrusion Detection (RAID 2001).Springer-Verlag, Lecture Notes in Computer Science, Number 2212, 2001.

    Google Scholar 

  46. A. Valdes and K. Skinner, Proabilistic Alert Correlation. InRecent Advances in Intrusion Detection (RAID 2001).Springer-Verlag, Lecture Notes in Computer Science, Number 2212, 2001.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Scientific Systems Company, 500 West Cummings Park, Suite 3000, Woburn, MA, 01801, USA

    João B. D. Cabrera & Raman K. Mehra

  2. Aprisma Management Technologies, 121 Technology Drive, Durham, NH, 03824, USA

    Lundy Lewis

  3. Georgia Institute of Technology — College of Computing, 801 Atlantic Drive, Atlanta, GA, 30332, USA

    Xinzhou Qin & Wenke Lee

Authors
  1. João B. D. Cabrera
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lundy Lewis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xinzhou Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Raman K. Mehra
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. George Mason University, USA

    Daniel Barbará  & Sushil Jajodia  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer Science+Business Media New York

About this chapter

Cite this chapter

Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Mehra, R.K. (2002). Proactive Intrusion Detection. In: Barbará, D., Jajodia, S. (eds) Applications of Data Mining in Computer Security. Advances in Information Security, vol 6. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-0953-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-1-4615-0953-0_8

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4613-5321-8

  • Online ISBN: 978-1-4615-0953-0

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation