Intrusion Detection

In this project we investigate machine learning (data mining) techniques for building models that can detect intrusions. To detect unseen attacks, we currently focus on anomaly detection. Our models are built based on data gathered from the network and operating systems. We have audit data provided by DARPA that contain normal and attack activities. Long-term goals include cost-sensitive modeling and correlation among distibuted models.

Publications

• Learning Useful System Call Attributes for Anomaly Detection G. Tandon & P. Chan, Proc. 18th Intl. FLAIRS Conf., pp. 405-410, 2005.
• Data cleaning and enriched representations for anomaly detection in system calls, G. Tandon, P. Chan, and D. Mitra, In Machine Learning and Data Mining for Computer Security: Methods and Applicatioins, M. Maloof (editor), Springer (to appear).
• MORPHEUS: Motif Oriented Representations to Purge Hostile Events from Unlabeled Sequences G. Tandon, P. Chan, and D. Mitra, In Workshop on Visualization and Data Mining for Computer Security (Viz/DMSEC), 11th ACM Conf. on Computer and Communications Security (CCS), 2004.
• Motif-oriented Representation of Sequences for a Host-based Intrusion Detection System, G. Tandon, D. Mitra & P. Chan, 17th Intl. Conf. on Industrial & Engineering Applications of AI & Expert Systems, pp. 605-615, 2004.
• Learning Rules for Anomaly Detection of Hostile Network Traffic, M. Mahoney & P. Chan, Proc. Third IEEE Intl. Conf. on Data Mining (ICDM), pp. 601-4, 2003.
• Learning Rules from System Call Arguments and Sequences for Anomaly Detection, G. Tandon & P. Chan, ICDM Workshop on Data Mining for Computer Security (DMSEC), pp. 20-29, 2003.
• Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection, R. Vargiya & P. Chan, ICDM Workshop on Data Mining for Computer Security (DMSEC), pp. 50-59, 2003.
• Learning Rules and Clusters for Anomaly Detection in Network Traffic, P. Chan, M. Mahoney & M. Arshad, Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava & A. Lazarevic (editors), Kluwer, pp. 81-99, 2005.
• An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection, M. Mahoney and P. Chan, Proc. 6th Intl. Symp. Recent Advances in Intrusion Detection, p. 220-237, 2003.
• Network Traffic Anomaly Detection Based on Packet Bytes, M. Mahoney, Proc. 18th ACM Symp. on Applied Computing, pp. 346-350, 2003.
• Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks, M. Mahoney and P. Chan, Proc. Eighth Intl. Conf. Knowledge Discovery and Data Mining, pp. 376-385, 2002.
• Using Artificial Anomalies to Detect Unknown and Known Network Intrusions, W. Fan, M. Miller, S. Stolfo, W. Lee, P. Chan, IEEE Intl. Conf. Data Mining, pp. 123-130, 2001.
• Real Time Data Mining-based Intrusion Detection, W. Lee, S. Stolfo, P. Chan, E. Eskin, W. Fan, M. Miller, S. Hershkop, and J. Zhang, Proc. Second DARPA Information Survivability Conference and Exposition, pp. I85-100, 2001.
• Learning Patterns from Unix Process Execution Traces for Intrusion Detection, W. Lee, S. Stolfo, and P. Chan. Work. Notes AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management, 1997.
• Repository at Columbia University

Experimental Software

• PHAD (ta7.cpp)

People

• Philip Chan
• Muhammad Arshad
• Anyi Liu
• Matt Mahoney
• Gaurav Tandon

Collaborators

• Wenke Lee, Georgia Tech
• Sal Stolfo, Columbia University

Sponsor

Defense Advanced Research Projects Agency (DARPA)

Related Work