Skip to Main Content
In network-based intrusion detection, signatures discovery is an important issue, since the performance of an intrusion detection system heavily depends on accuracy and abundance of signatures. In most cases, we have to find these signatures manually. This is a time-consuming and error-prone work. We present a data mining method based on an approach to support signature discovery in a network-based intrusion detection system, which generates signatures for a misuse detection intrusion detection system (IDS) not only depending on associations of attributes of the transfer protocol, but also on the content of traffic. Until now, no paper has studied how to mine content of traffic to generate signatures for an IDS. Our work allows people to find signatures of an intrusion easily and provides a third party IDS (for example, Snort) with candidate signatures. In order to discover signatures, we present an algorithm called Signature Apriori. An experimental system named SigSniffer has been implemented to test the feasibility of the proposed approach.
Machine Learning and Cybernetics, 2002. Proceedings. 2002 International Conference on (Volume:1 )
Date of Conference: 2002