Automated discovery of concise predictive rules for intrusion detection

Guy Helmer; Johnny S K Wong; Vasant Honavar; Les Miller

doi:10.1016/S0164-1212(01)00088-7

Automated discovery of concise predictive rules for intrusion detection

Guy Helmer, Johnny S K Wong, Vasant Honavar, Les Miller

Research output: Contribution to journal › Article › peer-review

44 Scopus citations

Abstract

This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

Original language	English (US)
Pages (from-to)	165-175
Number of pages	11
Journal	Journal of Systems and Software
Volume	60
Issue number	3
DOIs	https://doi.org/10.1016/S0164-1212(01)00088-7
State	Published - Feb 15 2002

All Science Journal Classification (ASJC) codes

Software
Information Systems
Hardware and Architecture

Access to Document

10.1016/S0164-1212(01)00088-7

Cite this

@article{fc11a4ac12dd4c93b07a72b0301ae537,

title = "Automated discovery of concise predictive rules for intrusion detection",

abstract = "This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.",

author = "Guy Helmer and Wong, {Johnny S K} and Vasant Honavar and Les Miller",

note = "Funding Information: This work was supported by the Department of Defense. Thanks to the Computer Immune System Project at the University of New Mexico's Computer Science Department for the use of their sendmail system call data. Funding Information: He has been an investigator for research contracts with Telecom Australia from 1983 to 1986, studying the performance of network protocols of the ISDN. During this period, he has contributed to the study and evaluation of the communication architecture and protocols of ISDN. From 1989 to 1990, he was the Principal Investigator for a research contract with Microware Systems Corporation at Des Moines, Iowa. This involved the study of Coordinated Multimedia Communication in ISDN. In Summers 1991 and 1992, Dr. Wong was supported by IBM corporation in Rochester. While at IBM, he worked on the Distributed Computing Environment (DCE) for the Application Systems. This involved the integration of communication protocols and distributed database concepts. Dr. Wong is also involved in the Coordinated Multimedia System (COMS) in Courseware Matrix Software Project, funded by NSF Synthesis Coalition Project to enhance engineering education. From 1993 to 1996, he is working on a research project on a knowledge-based system for energy conservation education using multimedia communication technology, funded by the Iowa Energy Center. From 1995 to 1996, he was supported by the Ames Laboratory of the Department of Energy (DOE), working in Middleware for Multidatabases system. Funding Information: He was involved in projects on Intelligent Multi-Agents for Intrusion Detection and Countermeasures funded by the Department of Defense (DoD), Database Generating and X-Ray Displaying on the World Wide Web Applications funded by Mayo Foundation. Currently, he is working on the CISE Educational Innovation: Integrated Security Curricular Modules and NSF SFS Program on Information Assurance, both funded by the National Science Foundation (NSF). Funding Information: Vasant Honavar received his Ph.D. in Computer Science and Cognitive Science from the University of Wisconsin, Madison. He directs the Artificial Intelligence Research Laboratory in the Department of Computer Science at Iowa State University where he is currently a full professor. He also serves on the faculties of interdepartmental programs in Information Assurance and Bioinformatics and Computational Biology. His current research and teaching interests include Artificial Intelligence, Machine Learning, Data Mining and Knowledge Discovery, Distributed Learning, Distributed Heterogenous Information Integration, Distributed Information Infrastructures, Intelligent Agents and Multi-Agent Systems, Bioinformatics and Computational Biology, Distributed Artificial Intelligence, Applied Artificial Intelligence, and Information Security. He has published over 100 research papers in refereed journals, books, and conferences and has co-edited three books. He is a Co-Editor-in-Chief of Journal of Cognitive Systems Research and an Associate Editor of Information Sciences Journal. His research has been partially funded by grants from the National Science Foundation, the John Deere Foundation, the Department of Defense, Pioneer Hi-bred, and IBM. Prof. Honavar is a member of ACM, AAAI, IEEE, and the New York Academy of Sciences. Copyright: Copyright 2008 Elsevier B.V., All rights reserved.",

year = "2002",

month = feb,

day = "15",

doi = "10.1016/S0164-1212(01)00088-7",

language = "English (US)",

volume = "60",

pages = "165--175",

journal = "Journal of Systems and Software",

issn = "0164-1212",

publisher = "Elsevier Inc.",

number = "3",

}

TY - JOUR

T1 - Automated discovery of concise predictive rules for intrusion detection

AU - Helmer, Guy

AU - Wong, Johnny S K

AU - Honavar, Vasant

AU - Miller, Les

N1 - Funding Information: This work was supported by the Department of Defense. Thanks to the Computer Immune System Project at the University of New Mexico's Computer Science Department for the use of their sendmail system call data. Funding Information: He has been an investigator for research contracts with Telecom Australia from 1983 to 1986, studying the performance of network protocols of the ISDN. During this period, he has contributed to the study and evaluation of the communication architecture and protocols of ISDN. From 1989 to 1990, he was the Principal Investigator for a research contract with Microware Systems Corporation at Des Moines, Iowa. This involved the study of Coordinated Multimedia Communication in ISDN. In Summers 1991 and 1992, Dr. Wong was supported by IBM corporation in Rochester. While at IBM, he worked on the Distributed Computing Environment (DCE) for the Application Systems. This involved the integration of communication protocols and distributed database concepts. Dr. Wong is also involved in the Coordinated Multimedia System (COMS) in Courseware Matrix Software Project, funded by NSF Synthesis Coalition Project to enhance engineering education. From 1993 to 1996, he is working on a research project on a knowledge-based system for energy conservation education using multimedia communication technology, funded by the Iowa Energy Center. From 1995 to 1996, he was supported by the Ames Laboratory of the Department of Energy (DOE), working in Middleware for Multidatabases system. Funding Information: He was involved in projects on Intelligent Multi-Agents for Intrusion Detection and Countermeasures funded by the Department of Defense (DoD), Database Generating and X-Ray Displaying on the World Wide Web Applications funded by Mayo Foundation. Currently, he is working on the CISE Educational Innovation: Integrated Security Curricular Modules and NSF SFS Program on Information Assurance, both funded by the National Science Foundation (NSF). Funding Information: Vasant Honavar received his Ph.D. in Computer Science and Cognitive Science from the University of Wisconsin, Madison. He directs the Artificial Intelligence Research Laboratory in the Department of Computer Science at Iowa State University where he is currently a full professor. He also serves on the faculties of interdepartmental programs in Information Assurance and Bioinformatics and Computational Biology. His current research and teaching interests include Artificial Intelligence, Machine Learning, Data Mining and Knowledge Discovery, Distributed Learning, Distributed Heterogenous Information Integration, Distributed Information Infrastructures, Intelligent Agents and Multi-Agent Systems, Bioinformatics and Computational Biology, Distributed Artificial Intelligence, Applied Artificial Intelligence, and Information Security. He has published over 100 research papers in refereed journals, books, and conferences and has co-edited three books. He is a Co-Editor-in-Chief of Journal of Cognitive Systems Research and an Associate Editor of Information Sciences Journal. His research has been partially funded by grants from the National Science Foundation, the John Deere Foundation, the Department of Defense, Pioneer Hi-bred, and IBM. Prof. Honavar is a member of ACM, AAAI, IEEE, and the New York Academy of Sciences. Copyright: Copyright 2008 Elsevier B.V., All rights reserved.

PY - 2002/2/15

Y1 - 2002/2/15

N2 - This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

AB - This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

UR - http://www.scopus.com/inward/record.url?scp=0037083574&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0037083574&partnerID=8YFLogxK

U2 - 10.1016/S0164-1212(01)00088-7

DO - 10.1016/S0164-1212(01)00088-7

M3 - Article

AN - SCOPUS:0037083574

SN - 0164-1212

VL - 60

SP - 165

EP - 175

JO - Journal of Systems and Software

JF - Journal of Systems and Software

IS - 3

ER -

Automated discovery of concise predictive rules for intrusion detection

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this