Abstract - Technical Program - ID 99
Automated Intrusion Detection Using NFR: Methods and Experiences
Wenke Lee, Christopher T. Park, and Salvatore J. Stolfo, Columbia University
There is often the need to update an installed Intrusion
Detection System (IDS) due to new attack methods or
upgraded computing environments. Since many current
IDSs are constructed by manual encoding of expert
security knowledge, changes to IDSs are expensive
and require a large amount of programming and debugging.
We describe a data mining framework for adaptively
building Intrusion Detection (ID) models specifically
for use with Network Flight Recorder (NFR). The
central idea is to utilize auditing programs to extract
an extensive set of features that describe each network
connection or host session, and apply data mining programs
to learn rules that accurately capture the behavior
of intrusions and normal activities. These rules can be
used for misuse detection and anomaly detection. Detection
models are then incorporated into NFR through a
machine translator, which produces a working detection
model in the form of N-Code, NFR's powerful filtering
- View the full text of this paper in
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.