Using data mining to discover signatures in network-based intrusion detection

In network-based intrusion detection, signatures discovery is an important issue, since the performance of an intrusion detection system heavily depends on accuracy and abundance of signatures. In most cases, we have to find these signatures manually. This is a time-consuming and error-prone work. We present a data mining method based on an approach to support signature discovery in a network-based intrusion detection system, which generates signatures for a misuse detection intrusion detection system (IDS) not only depending on associations of attributes of the transfer protocol, but also on the content of traffic. Until now, no paper has studied how to mine content of traffic to generate signatures for an IDS. Our work allows people to find signatures of an intrusion easily and provides a third party IDS (for example, Snort) with candidate signatures. In order to discover signatures, we present an algorithm called Signature Apriori. An experimental system named SigSniffer has been implemented to test the feasibility of the proposed approach.