From: KDD-98 Proceedings. Copyright © 1998, AAAI (www.aaai.org). All rights reserved. Mining Audit Data to Build Intrusion Detection ModelsWenke Lee and Salvatore J. Stolfo and KuiW.MokComputer Science DepartmentColumbia University500 West 120th Street, New York, NY 10027fwenke,sal,mokg@cs.columbia.eduAbstract al. 1992), tries to determine whether deviation fromthe established normal usage patterns can be flaggedIn this paper we discuss a data mining framework as intrusions.for constructing intrusion detection models. TheCurrently many intrusion detection systems are con-key ideas are to mine system audit data for con-structed by manual and ad hoc means. In misuse de-sistent and useful patterns of program and usertection systems, intrusion patterns (for example, morebehavior, and use the set of relevant system fea-tures presented in the patterns to compute (in- than three consecutive failed logins) need to be hand-ductively learned) classi ers that can recognize coded using specic modeling languages. In anomalyanomalies and known intrusions. Our past exper- detection systems, the features or measures on auditiments showed that classi ers can be used to de- data (for example, the CPU usage by a program) thattect intrusions, provided that su cient audit data constitute the pro les are chosen based on the expe-is available for training and the right set of sys-rience of the system builders. As a result, the eec-tem features are selected. We propose to ...