Most intrusion detection approaches rely on the analysis of the packet logs recording each noticeable event happening in the network system. Network connections are then constructed on the basis of these packet logs. Searching for abnormal connections is where the application of data mining techniques for anomaly detection promise great potential benefits. Anyway, mining packet logs poses additional challenges. In fact, a connection is composed of a sequence of packets, but classical approaches to anomaly detection loose information on the possible relations (e.g., following) between the packets forming one connection. This depends on the fact that the attribute-value data representation adopted by classical anomaly detection methods does not allow either the distinction between connections and packets or the discovery of the interaction between packets in a connection. In order to face this issue, we resort to a Multi-Relational Data Mining approach which makes possible to mine data scattered in multiple relational tables (typically one for each object type). Our goal is to analyse packet logs of consecutive days and discover multivariate relational patterns whose support significantly changes from one day to another. Discovered patterns provide a human-interpretable description of the change in the network connections occurring in consecutive days. Experimental results on real traffic data collected from the firewall logs of our University Department are reported.

Discovering Emerging Patterns for Anomaly Detection in Network Connection Data

APPICE, ANNALISA;CARUSO, COSTANTINA;MALERBA, Donato;CECI, MICHELANGELO
2008-01-01

Abstract

Most intrusion detection approaches rely on the analysis of the packet logs recording each noticeable event happening in the network system. Network connections are then constructed on the basis of these packet logs. Searching for abnormal connections is where the application of data mining techniques for anomaly detection promise great potential benefits. Anyway, mining packet logs poses additional challenges. In fact, a connection is composed of a sequence of packets, but classical approaches to anomaly detection loose information on the possible relations (e.g., following) between the packets forming one connection. This depends on the fact that the attribute-value data representation adopted by classical anomaly detection methods does not allow either the distinction between connections and packets or the discovery of the interaction between packets in a connection. In order to face this issue, we resort to a Multi-Relational Data Mining approach which makes possible to mine data scattered in multiple relational tables (typically one for each object type). Our goal is to analyse packet logs of consecutive days and discover multivariate relational patterns whose support significantly changes from one day to another. Discovered patterns provide a human-interpretable description of the change in the network connections occurring in consecutive days. Experimental results on real traffic data collected from the firewall logs of our University Department are reported.
2008
978-3-540-68122-9
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11586/84536
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 7
  • ???jsp.display-item.citation.isi??? 6
social impact