Over the past few years, the Internet has changed computing as we know it. The more possibilities and opportunities develop, the more systems are subject to attack by intruders. Thus, the big question is about how to recognize and handle subversion attempts. One answer is to undertake the prevention of subversion itself by building a completely secure system. However, the complete prevention of breaches of security does not yet appear to be possible to achieve. Therefore these intrusion attempts need to be detected as soon as possible (preferably in real time) so that appropriate action might be taken to repair the damage. This is what an intrusion detection system (IDS) does. IDSs monitor and analyze the events occurring in a computer system in order to detect signs of security problems. However, intrusion detection technology has not yet reached perfection. This fact has provided data mining with the opportunity to make several important contributions and improvements to the field of IDS technology (Julisch, 2002).
Key Terms in this Chapter
Data Mining: This is the process of automatically searching large volumes of data to uncover previously undetected relationships among data items. Data mining is also known as knowledge discovery in databases (KDD).
Intrusion Detection Systems: They detect inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems. ID systems that operate on network data flows are called network-based ID systems.
Classif ication: It refers to the data mining problem of attempting to predict the category of data by building a model based on some predictor variables.
Auditing: Auditing is the gathering and analysis of the information of assets to ensure such things as policy compliance and security from vulnerabilities.
False Positive: This occurs when there is no attack and the product raises an alarm. This case can be problematic because administrators, facing a false positive, might take unnecessary actions.
Anomaly detection: It detects activity that deviates from normal activity. Profile-based anomaly detection depends on the statistical definition of what is normal and can be prone to a large number of false positives.
False Negative: This occurs when there is an attack and the product does not raise an alarm. Obviously, this case is problematic because the intruder’s action can go completely unnoticed.
Misuse Detection: It detects a pattern that matches closely activity that is typical of a network intrusion. Misuse detection is also known as signature-based detection.
Signature: A signature is a distinct pattern in network traffic that can be identified to a specific tool or exploit.