Frequent episode rules for Internet anomaly detection

Author

Qin, Min ; Hwang, Kai

Author_Institution

Southern California Univ., Los Angeles, CA, USA

fYear

2004

Firstpage

161

Lastpage

168

Abstract

This work introduces a new Internet trace technique for generating frequent episode rules to characterize Internet traffic events. These episode rules are used to distinguish anomalous sequences of TCP, UDP, or ICMP connections from normal traffic episodes. Fundamental pruning techniques are introduced to reduce the rule search space by 70%. The new detection scheme was tested over real-life Internet trace data at USC. Our anomaly detection scheme results in a success rate of 47% for DoS, R2L, and port-scanning attacks. These results demonstrate an average of 51% improvement over the use of association rules. We experienced 20 or fewer false alarms over 200 network attacks in 9 days of tracing experiments. This anomaly detection scheme can be used jointly with signature-based IDS to achieve even higher detection efficiency.

Keywords

Internet; data mining; grid computing; security of data; telecommunication traffic; DoS attacks; ICMP; Internet anomaly detection; Internet trace; Internet traffic events; R2L attacks; TCP; UDP; anomalous sequences; association rules; false alarms; frequent episode rules; grid computing; intrusion detection; network attacks; network security; port-scanning attacks; pruning techniques; rule search space; signature-based IDS; traffic datamining; Computer applications; Computer networks; IP networks; Internet;

fLanguage

English

Publisher

ieee

Conference_Titel

Network Computing and Applications, 2004. (NCA 2004). Proceedings. Third IEEE International Symposium on

Print_ISBN

0-7695-2242-4

Type

conf

DOI

10.1109/NCA.2004.1347773

Filename

1347773