Wenke Lee, Computer Science, Columbia University
Abstract: Intrusion detection is an essential component of critical infrastructure protection mechanisms. The traditional pure "knowledge engineering" process of building Intrusion Detection Systems (IDSs) is very slow and expensive. As a result, the extensibility (in the face of changed or upgraded network configurations), and adaptability (in the face of new attack methods) of current IDSs is limited.
In this talk, I will describe my work in developing a data mining framework for automatically and adaptively building intrusion detection models. The central idea is to use system audit programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules are then converted into executable modules for real-time intrusion detection. Detection models for new intrusions or specific (new) components of a network system are incorporated into an existing IDS through a meta-learning (or co-operative learning) process, which produces a combined model.
I will discuss some characteristics of audit data and show how the basic association rules and frequent episodes algorithms can be extended accordingly to compute only the "useful" patterns. I will describe experiments on the dataset provided as part of the 1998 DARPA Intrusion Detection Evaluation program, and discuss our experience in building a real-time network intrusion detection system.
Short Bio: Wenke Lee Wenke Lee is a Ph.D. candidate in Computer Science at Columbia University, under the supervision of Sal Stolfo. His main research interests are in network security and distributed data mining. He has worked as a summer intern at AT&T Labs Research and IBM T. J. Watson Research Center. Before coming to Columbia, he was a full time software engineer with Intergraph Corporation for four years.
Colloquia Home Page.