adam
Audit Data Analysis and Mining
MOTIVATION
The use of specialized audit trails for intrusion detection has been
advocated by security experts. The idea is to analyze the audio trail to
spot ``abnormal'' patterns of usage, performing intrusion detection.
Systems like IDES (Intrusion-Detection Expert System) keep various
intrusion-detection measures for each user.
(A measure is an aspect of user behavior, such as connections,
Files Read, CPU usage and System Call Usage).
One problem with audit trails is that too much data is collected
to be usefully analyzed for intrusions. In fact, in order not to
be bypassed by potential intruders, it is advisable to collect data
at the lowest possible level (e.g., monitoring system service calls
as opposed to application-level monitoring).
However, the lower one pushes the monitoring, the larger the size of the
data collected. To alleviate this problem, the use of random sampling has
been suggested; however, using sampling one runs the risk of missing
intrusions.
The problem is further complicated by the need to allow for differences
in the data due to special circumstances such as holidays and other factors.
For instance, the ``normal'' number and duration of ftp connections may vary
from morning to afternoon to evening. It may also depend on the day
of the month or the week, or it may vary depending on the class
of users being considered.
PROJECT GOALS
To deal with these problems, project ADAM aims to implement an intrusion-detection software that uses a multistrategy approach along the following lines: 1. Detect events and patterns directly expressed by the operator of the system: the operator, being the ultimate entity responsible for the detection of the system is allowed to specify situations that she considers ``abnormal.'' The system monitors the audit trail for these conditions and alarms the operator. 2. Mine for association rules that are becoming frequent recently and are not usually that frequent in similar circumstances (day of the week, time of the day). In order to do this, two things must be done: a. Mine the audit trail for the association rules that are becoming ``hot'' in recent times (the window of observation being a tunable parameter), and b. compare those association rules with those that have been frequent at similar times in the past. Thus, a repository of ``aggregated'' past rules is needed. 3. Use other means of data mining to uncover suspicious or abnormal patterns of behavior. 4. Filter and prioritize alarms to avoid flooding the operator during and actual intrusion. This step also has the purpose of minimizing the number of false diagnoses.
PEOPLE