Kokorina, Liubov
The Use of Frequent Episodes in Intrusion Detection
System and network audit allows capturing large amounts of data. These
audit data may contain evidences of intrusions, and thus, can be used in
intrusion detection. But the audit trails contains lots of events, and
only a few of them may indicate intrusions. To extract necessary
information, we can use data mining techniques.
Intrusion detection systems (IDSs) now are trade-offs, particularly,
between speed and accuracy. Misuse-based IDSs do not recognize unknown
attacks while anomaly-based IDSs produce many false alarms. In this paper,
we describe a new hybrid intrusion detection system, which uses frequent
episodes as the common data structure.
Our IDS will combine misuse and anomaly approaches by using hierarchical
frequency which we will introduce. The IDS will be constructed only on
frequent episode discovery, matching, and pruning algorithms. The anomaly
and misuse modules are supposed to be symmetric in our work. We believe
that the IDS will be at least as efficient as today’s IDSs.
