Integration of Audit Data Analysis and Mining Techniques into Aide

摘要

In recent years, intrusion detection systems have gained wide acceptance within both government and commercial organizations. A number of intrusion detection tools are commercially available and are being routinely used as part of the protection of network and computer systems. There are several limitations to the present generation of the intrusion detection systems: these tools detect only those attacks that are already known, generate too many false positives, and operation of these tools is too labor intensive. To overcome these problems, we developed methods and tools that can be used by the system security officer to understand the massive amount of data that is being collected by the intrusion detection systems, analyze the data, and determine the importance of an alarm. Report divided into three parts. Part I describes a network intrusion detection system, called Audit Data Analysis and Mining (ADAM), which employs a series of data mining techniques including association rules, classification techniques, and pseudo-Bayes estimators to detect attacks using the network audit trail data. Part II shows how to build attack scenarios by explicitly including network vulnerability/exploit relationships in the model. Part III provides a complete list of publications resulting from this effort and successfully licensed the resulting technology to a company called Secure Decisions and filed for four patents.