adam Audit Data Analysis and Mining
The use of specialized audit trails for intrusion detection has been
advocated by security experts. The idea is to analyze the audio trail to
spot ``abnormal'' patterns of usage, performing intrusion detection.
Systems like IDES (Intrusion-Detection Expert System) keep various
intrusion-detection measures for each user.
(A measure is an aspect of user behavior, such as connections,
Files Read, CPU usage and System Call Usage).
One problem with audit trails is that too much data is collected
to be usefully analyzed for intrusions. In fact, in order not to
be bypassed by potential intruders, it is advisable to collect data
at the lowest possible level (e.g., monitoring system service calls
as opposed to application-level monitoring).
However, the lower one pushes the monitoring, the larger the size of the
data collected. To alleviate this problem, the use of random sampling has
been suggested; however, using sampling one runs the risk of missing
The problem is further complicated by the need to allow for differences
in the data due to special circumstances such as holidays and other factors.
For instance, the ``normal'' number and duration of ftp connections may vary
from morning to afternoon to evening. It may also depend on the day
of the month or the week, or it may vary depending on the class
of users being considered.
To deal with these problems, project ADAM aims to implement an
intrusion-detection software that uses a multistrategy approach along
the following lines:
1. Detect events and patterns directly expressed by the operator
of the system: the operator, being the ultimate entity responsible
for the detection of the system is allowed to specify situations that
she considers ``abnormal.'' The system monitors the audit trail for
these conditions and alarms the operator.
2. Mine for association rules that are becoming frequent recently and are not
usually that frequent in similar circumstances (day of the week,
time of the day). In order to do this, two things must be done:
a. Mine the audit trail for the association rules
that are becoming ``hot'' in recent times (the window
of observation being a tunable parameter), and
b. compare those association rules with those that have been
frequent at similar times in the past. Thus, a repository
of ``aggregated'' past rules is needed.
3. Use other means of data mining to uncover suspicious or abnormal
patterns of behavior.
4. Filter and prioritize alarms to avoid flooding the operator during
and actual intrusion. This step also has the purpose of minimizing
the number of false diagnoses.
- Daniel Barbará
- Sushil Jajodia
- Julia Couto
- Ning Ning Wu