IDDM : intrusion detection using data mining techniques
Scientific Publication
- Report Number:
- DSTO-GD-0286
- Authors:
- Abraham, T.
- Issue Date:
- 2001-05
- AR Number:
- AR-011-868
- Classification:
- UNCLASSIFIED
- Report Type:
- General Document
- Division:
- Information Technology Division (ITD)
- Release Authority:
- Chief, Information Technology Division
- Task Sponsor:
- DISG
- Task Number:
- JNT 98/152
- File Number:
- N9505/21/38
- Pages:
- 34
- References:
- 14
- Terms:
- Intrusion detection
- URI:
- http://hdl.handle.net/1947/3750
Abstract
The IDDM project aims to determine the feasibility and effectiveness of data mining techniques in real-time intrusion detection and produce solutions for this purpose. Traditionally, data mining is designed to operate on large off-line data sets. Previous attempts to apply the discipline in real-time environments met with varying success. In this paper, the author overviews earlier attempts to employ data mining principles in intrusion detection and present a possible system architecture for this purpose. As a consequence, it is shown that by combining data mining algorithms with agent technologies, near real-time operation may be attained.
Executive Summary
The IDDM project investigates the potential use of the data mining paradigm in near real-time intrusion detection in order to develop techniques for the defence of computing networks. To protect networks, intrusion detection systems aim to recognise attacks with two primary requirements: high detection and low false alarm rate. As attacks manifest themselves in two categories, those that are known and those that have not been seen previously, it is imperative that good descriptions of existing attacks as well as normal network behaviour are available. Data mining is recognised as a useful tool for extracting regularities in data and thus has been the target of some investigations for its use in intrusion detection. The IDDM project focuses on the use of data mining in the latter context, by producing descriptions of network data and using this information for deviation analysis. A number of existing technologies are available for this purpose, some of which are evaluated as part of the project. As part of the investigative process, this report also details an architecture which is designed to accommodate the deviation analysis process. This process is performed by meta-mining techniques that characterise change between network data descriptions produced at different times. When detecting large deviations between descriptions, the system can produce appropriate alarm notices. The outcomes of the IDDM project are hence the abilities to characterise network data and to detect variations in these ~aracteristics over time. Combining this capability with tools that either recognise existing attack patterns or operate similarly to IDDM, it strengthens the ability of intrusion detection professionals to recognise and potentially react to unwanted violations to network operations.