System and network audit allows capturing large amounts of data. These audit data may contain evidences of intrusions, and thus, can be used in intrusion detection. But the audit trails contain lots of events, and only a few of them may indicate intrusions. To extract necessary information, we can use data mining techniques. Intrusion detection systems (IDSs) work with audit data which are, actually, a sequence of events ordered in time.
Frequent episodes give us an efficient way of representing partial order relationships between events. We will use frequent episodes to data mining in intrusion detection.
IDSs now are efficiency trade-offs, particularly, between speed and accuracy. Misuse-based IDS do not recognize unknown attacks while anomaly based IDSs produce many false alarms. There exist several frequent episode discovery algorithms which are claimed to be fast and precise. Besides, we can vary the speed and precision by changing correspondent thresholds. We will build an experimental IDS, which will combine misuse and anomaly approaches based on hierarchical frequency that we introduces. The IDS will be constructed only on frequent episode discovery, matching, and pruning algorithms. We believe that the IDS will be at least as efficient as today’s IDSs.
