Automated discovery of concise predictive rules for intrusion detection

Guy Helmer, Johnny S K Wong, Vasant Honavar, Les Miller

Research output: Contribution to journalArticlepeer-review

44 Scopus citations


This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described. We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

Original languageEnglish (US)
Pages (from-to)165-175
Number of pages11
JournalJournal of Systems and Software
Issue number3
StatePublished - Feb 15 2002

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Hardware and Architecture


Dive into the research topics of 'Automated discovery of concise predictive rules for intrusion detection'. Together they form a unique fingerprint.

Cite this