Automated discovery of concise predictive rules for intrusion detection

Guy Helmer, Johnny S K Wong, Vasant Honavar, Les Miller

Research output: Contribution to journalArticle

39 Citations (Scopus)

Abstract

This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

Original languageEnglish (US)
Pages (from-to)165-175
Number of pages11
JournalJournal of Systems and Software
Volume60
Issue number3
DOIs
StatePublished - Feb 15 2002

Fingerprint

Intrusion detection
Set theory
Learning algorithms
Data warehouses
Learning systems
Genetic algorithms
Monitoring

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Hardware and Architecture

Cite this

Helmer, Guy ; Wong, Johnny S K ; Honavar, Vasant ; Miller, Les. / Automated discovery of concise predictive rules for intrusion detection. In: Journal of Systems and Software. 2002 ; Vol. 60, No. 3. pp. 165-175.
@article{fc11a4ac12dd4c93b07a72b0301ae537,
title = "Automated discovery of concise predictive rules for intrusion detection",
abstract = "This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.",
author = "Guy Helmer and Wong, {Johnny S K} and Vasant Honavar and Les Miller",
year = "2002",
month = "2",
day = "15",
doi = "10.1016/S0164-1212(01)00088-7",
language = "English (US)",
volume = "60",
pages = "165--175",
journal = "Journal of Systems and Software",
issn = "0164-1212",
publisher = "Elsevier Inc.",
number = "3",

}

Automated discovery of concise predictive rules for intrusion detection. / Helmer, Guy; Wong, Johnny S K; Honavar, Vasant; Miller, Les.

In: Journal of Systems and Software, Vol. 60, No. 3, 15.02.2002, p. 165-175.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Automated discovery of concise predictive rules for intrusion detection

AU - Helmer, Guy

AU - Wong, Johnny S K

AU - Honavar, Vasant

AU - Miller, Les

PY - 2002/2/15

Y1 - 2002/2/15

N2 - This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

AB - This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

UR - http://www.scopus.com/inward/record.url?scp=0037083574&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0037083574&partnerID=8YFLogxK

U2 - 10.1016/S0164-1212(01)00088-7

DO - 10.1016/S0164-1212(01)00088-7

M3 - Article

AN - SCOPUS:0037083574

VL - 60

SP - 165

EP - 175

JO - Journal of Systems and Software

JF - Journal of Systems and Software

SN - 0164-1212

IS - 3

ER -