Frequent Episode Rules for Internet Anomaly Detection

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Min Qin Articles by Kai Hwang

Network Computing and Applications, Third IEEE International Symposium on (NCA'04)

Boston, Massachusetts

August 30-September 01

ISBN: 0-7695-2242-4

	ASCII Text	x
	Min Qin, Kai Hwang, "Frequent Episode Rules for Internet Anomaly Detection," Network Computing and Applications, IEEE International Symposium on, pp. 161-168, Network Computing and Applications, Third IEEE International Symposium on (NCA'04), 2004.

	BibTex	x
	@article{ 10.1109/NCA.2004.1347773, author = {Min Qin and Kai Hwang}, title = {Frequent Episode Rules for Internet Anomaly Detection}, journal ={Network Computing and Applications, IEEE International Symposium on}, volume = {0}, year = {2004}, isbn = {0-7695-2242-4}, pages = {161-168}, doi = {http://doi.ieeecomputersociety.org/10.1109/NCA.2004.1347773}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Network Computing and Applications, IEEE International Symposium on TI - Frequent Episode Rules for Internet Anomaly Detection SN - 0-7695-2242-4 SP161 EP168 A1 - Min Qin, A1 - Kai Hwang, PY - 2004 KW - Network security KW - intrusion detection KW - traffic datamining KW - anomaly detection KW - false alarms KW - Grid computing VL - 0 JA - Network Computing and Applications, IEEE International Symposium on ER -

Min Qin, University of Southern California, Los Angeles, CA

Kai Hwang, University of Southern California, Los Angeles, CA

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/NCA.2004.1347773

This paper introduces a new Internet trace technique for generating frequent episode rules to characterize Internet traffic events. These episode rules are used to distinguish anomalous sequences of TCP, UDP, or ICMP connections from normal traffic episodes. Fundamental pruning techniques are introduced to reduce the rule search space by 70%. The new detection scheme was tested over real-life Internet trace data at USC.

Our anomaly detection scheme results in a success rate of 47% for DoS, R2L, and port-scanning attacks. These results demonstrate an average of 51% improvement over the use of association rules. We experienced 20 or less false alarms over 200 network attacks in 9 days of tracing experiments. This anomaly detection scheme can be used jointly with signature-based IDS to achieve even higher detection efficiency.

Index Terms:

Network security, intrusion detection, traffic datamining, anomaly detection, false alarms, Grid computing

Citation:

Min Qin, Kai Hwang, "Frequent Episode Rules for Internet Anomaly Detection," nca, pp.161-168, Network Computing and Applications, Third IEEE International Symposium on (NCA'04), 2004

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.