Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology."— Presentation transcript:

1 Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology

2 Prevent Cyber Threats and Counter Measures Detect React/ Survive Security principles: layered mechanisms

3 Elements of Intrusion Detection Primary assumptions: –System activities are observable –Normal and intrusive activities have distinct evidence Components of intrusion detection systems: –From an algorithmic perspective: Features - capture intrusion evidences Models - piece evidences together –From a system architecture perspective: Audit data processor, knowledge base, decision engine, alarm generation and responses

4 Applying Data Mining to Intrusion Detection Motivation –Semi-automatically construct or customize ID models for a given environment Rationales –From the data-centric point view, intrusion detection is a data mining/analysis process –Successful applications in related domains, e.g., fraud detection, fault/alarm management

5 The Iterative DM Process of Building ID Models models raw audit data packets/ events (ASCII) connection/ session records features patterns The MADAM ID Workflow

6 Data Mining System Perspective Analyst Alert on known attacks Offline Step 1: Log system behavior in data warehouse Step 2: Mine data offline User activity Local network activity Host activity System activity Model Evaluation Real-time attack recognition Online Alert on new attacks Audit data Predictive Detection Model Internet Step 3: Produce predictive detection model. Step 4: Integrate new model with existing IDS Step 5: Detect new attacks with enhanced IDS Data Mining Knowledge Base of Signatures Data Warehouse HAWKEYE PLATFORM System Detection Inc.

7 The Nuggets Feature extraction and construction –The key to producing effective ID models –Better pay-off than just applying yet another model learning algorithm –How to semi-automate the feature discovery process Incorporating domain knowledge Semi-structure/text mining

8 The Nuggets (continued) Efficiency –Training Huge amount of audit data –Sampling? Always retrain from scratch or incrementally? –Execution of output model in real-time Consider feature cost (time) Trade-off of cost vs. accuracy

9 The Nuggets (continued) Anomaly detection –Can there be a general approach? –Theoretical foundations –Rare events

10 Conclusions DM can play a key role in ID Research should be focused on the real nuggets: –Feature construction –Efficiency –Anomaly detection

11 Thank You!

Download ppt "Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,

1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Similar presentations

Ads by Google