hybrid intrusion detection system abstract

This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of anomaly detection system (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, we build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. By testing our HIDS scheme over real-life Internet trace data mixed with 10 days of Massachusetts Institute of Technology/Lincoln Laboratory (MIT/LL) attack data set, our experimental results show a 60 percent detection rate of the HIDS, compared with 30 percent and 22 percent in using the SNORT and Bro systems, respectively. This sharp increase in detection rate is obtained with less than 3 percent false alarms. The signatures generated by ADS upgrade the SNORT performance by 33 percent. The HIDS approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet connection episodes

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project. The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.

MINING ASSOCIATION RULES WITH ITEM CONSTRAINTS

Association rule mining is an important task of data mining. In practice, being often interested in a subset of association rules, users only want to get rules that contain a specific item. Integrating the item constraints into the mining process can acquire more efficient algorithms. This paper addresses the problem of distributed mining association rules with item constraints which are formalized Boolean expressions, and presents a fast algorithm called DMCA. Principles and implementation of the algorithm are discussed. Experiments prove efficiency of the algorithm

The problem of discovering association rules has received considerable research attention and several fast algorithms for mining association rules have been developed. In practice, users are often interested in a subset of association rules. For example, they may only want rules that contain a specific item or rules that contain children of a specific item in a hierarchy. While such constraints can be applied as a post processing step, integrating them into the mining algorithm can dramatically reduce the execution time. We consider the problem of integrating constraints that are Boolean expressions over the presence or absence of items into the association discovery algorithm. We present three integrated algorithms for mining association rules with item constraints and discuss their tradeoffs

A CLUSTERING ALGORITHM FOR DATA MINING BASED ON SWARM INTELLIGENCE

Swarm intelligence describes the ability of groups of social animals and insects to exhibit highly organized and complex problem-solving behaviors that allow the group as a whole to accomplish tasks which are beyond the capabilities of any one of the constituent individuals. This natural phenomenon is the inspiration for swarm intelligence systems, a class of algorithms that utilizes the emergent patterns of swarms to solve computational problems. Recently, there have been a number of publications regarding the application of swarm intelligence to various data mining problems, yet very few consider multi-threaded, let alone GPU-based implementations. In this paper we adopt the General-Purpose GPU parallel computing model and show how it can be leveraged to increase the accuracy and eciency of two types of swarm intelligence algorithms for data mining. To illustrate the ecacy of GPU computing for swarm intelligence, we present two swarm intelligence data mining algorithms implemented with CUDA for execution on a GPU device. These algorithms are: (1) AntMinerGPU, an ant colony optimization algorithm for rule-based classication, and (2) ClusterFlockGPU, a bird-ocking algorithm for data clustering. Our results indicate that the AntMinerGPU algorithm is markedly faster than the sequential algorithm on which it is based, and is able to produce classication rules which are competitive with those generated by traditional methods. Additionally, we show that ClusterFlockGPU is competitive with other swarm intelligence and traditional clustering methods, and is not aected by the dimensionality of the data being clustered making it theoretically well-suited for high-dimensional problems.
Clustering analysis is an important function of data mining. Various clustering methods are need for different domains and applications. A clustering algorithm for data mining based on swarm intelligence called Ant-Cluster is proposed in this paper. Ant-Cluster algorithm introduces the concept of multipopulation of ants with different speed, and adopts fixed moving times method to deal with outliers and locked ant problem. Finally, we experiment on a telecom company's customer data set with SWARM, agent-based model simulation software, which is integrated in SIMiner, a data mining software system developed by our own studies based on swarm intelligence. The results illuminate that Ant-Cluster

algorithm can get clustering results effectively without giving the number of clusters and have better performance than k-means algorithm.

AGENT BASED EFFICIENT ANOMALY INTRUSION DETECTION SYSTEM IN ADHOC NETWORKS

Networks are protected using many firewalls and encryption softwares. But many of them are not sufficient and effective. Most intrusion detection systems for mobile ad hoc networks are focusing on either routing protocols or its efficiency, but it fails to address the security issues. Some of the nodes may be selfish, for example, by not forwarding the packets to the destination, thereby saving the battery power. Some others may act malicious by launching security attacks like denial of service or hack the information. The ultimate goal of the security solutions for wireless networks is to provide security services, such as authentication, confidentiality, integrity, anonymity, and availability, to mobile users. This paper incorporates agents and data mining techniques to prevent anomaly intrusion in mobile adhoc networks. Home agents present in each system collects the data from its own system and using data mining techniques to observed the local anomalies. The Mobile agents monitoring the neighboring nodes and collect the information from neighboring home agents to determine the correlation among the observed anomalous patterns before it will send the data. This system was able to stop all of the successful attacks in an adhoc networks and reduce the false alarm positives.

KNOWLEDGE-BASED INTERACTIVE POSTMINING OF ASSOCIATION RULES USING ONTOLOGIES

In Data Mining, the usefulness of association rules is strongly limited by the huge amount of delivered rules. To overcome this drawback, several methods were proposed in the literature such as itemset concise representations, redundancy reduction, and postprocessing. However, being generally based on statistical information, most of these methods do not guarantee that the extracted rules are interesting for the user. Thus, it is crucial to help the decision-maker with an efficient postprocessing step in order to reduce the number of rules. This paper proposes a new interactive approach to prune and filter discovered rules. First, we propose to use ontologies in order to improve the integration of user knowledge in the postprocessing task. Second, we propose the Rule Schema formalism extending the specification language proposed by Liu et al. for user expectations. Furthermore, an interactive framework is designed to assist the user throughout the analyzing task. Applying our new approach over voluminous sets of rules, we were able, by integrating domain expert knowledge in the postprocessing step, to reduce the number of rules to several dozens or less. Moreover, the quality of the filtered rules was validated by the domain expert at various points in the interactive process.

A SSOCIATION rule mining, introduced in [1], is considered as one of the most important tasks in Knowledge Discovery in Databases [2]. Among sets of items in transaction databases, it aims at discovering implicative tendencies that can be valuable information for the decision-maker. An association rule is defined as the implication X ! Y , described by two interestingness measuressupport and confidencewhere X and Y are the sets of items and X \ Y ;. Apriori [1] is the first algorithm proposed in the association rule mining field and many other algorithms were derived from it. Starting from a database, it proposes to extract all association rules satisfying minimum thresholds of support and confidence. It is very well known that mining algorithms can discover a prohibitive amount of association rules; for instance, thousands of rules are extracted from a database of several dozens of attributes and several hundreds of transactions. Furthermore, as suggested by Silbershatz and Tuzilin [3], valuable information is often represented by those rarelow supportand unexpected

association rules which are surprising to the user. So, the more we increase the support threshold, the more efficient the algorithms are and the more the discovered rules are obvious, and hence, the less they are interesting for the user. As a result, it is necessary to bring the support threshold low enough in order to extract valuable information