A sequential pattern mining algorithm for misuse intrusion detection

Abstract

This paper presents a sequential pattern mining algorithm for misuse intrusion detection, which can be used to detect application layer attack. The algorithm can distinguish the order of attack behavior, and overcome the limitation of Wenke Lee's method, which performs statistical analysis against intrusion behavior at the network layer with frequent episode algorithm. The algorithm belongs to behavior analysis technique based on protocol analysis. The preprocessed data of the algorithm are application layer connection records extracted from DARPA's tcpdump data by protocol analysis tools. We use vertical item-transaction data structure in the algorithm. Compared with Apriori All algorithm, the complexity of this algorithm is decreased greatly. Using this algorithm, we dig out an "intrusion-only" itemset sequential pattern, which is different from normal user command sequential pattern. Experiments indicate that our algorithm describes attacks more accurately, and it can detect those attacks whose features appear only once. Our presentation offers a new approach for the research of misuse intrusion detection. © Springer-Verlag 2004.