Current IDS and Data Mining research

Hi,
Well, it depend on what are you trying to do?
For example, do you want to use data mining in IDS alerts analysis (e.g. alerts verification, alerts aggregation, alerts correlation)? In this case you will find a lot of research work submitted in that area.

Do you want to use data mining in building IDS to detect intrusions? Then you probably taking about anomaly detection based IDS? In my opinion data mining is not the best approach to do that. Probably, you will need to think about soft computing approaches (neural network, artificial immune system, swarm intelligence, etc).

The issue with your question is that you are using very abstract keywords “data mining” and “IDS” . you should be more specific.

Thanks,
Sherif Saad
Ph.D Candidate, University of Victoria

— On Mon, 5/30/11, bro-request@bro-ids.org bro-request@bro-ids.org wrote:


> From: bro-request@bro-ids.org bro-request@bro-ids.org
> Subject: Bro Digest, Vol 61, Issue 16
> To: bro@bro-ids.org
> Received: Monday, May 30, 2011, 10:00 PM
>
> Send Bro mailing list submissions to
> bro@bro-ids.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body ‘help’ to
> bro-request@bro-ids.org
>
> You can reach the person managing the list at
> bro-owner@bro-ids.org
>
> When replying, please edit your Subject line so it is more specific
> than “Re: Contents of Bro digest…”
>
> Today’s Topics:
>
> 1. Current IDS and Data Mining research (Suman Nandi)
> 2. Re: handle out of order and retransmitted packets in offline
> trace (Song Zhao)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 30 May 2011 11:53:57 +0530
> From: Suman Nandi suman.nandi@chitkara.edu.in
> Subject: [Bro] Current IDS and Data Mining research
> To: bro@bro-ids.org
> Message-ID: BANLkTi=pfrxkgD6SzOmN5yrejS3G5MDJxg@mail.gmail.com
> Content-Type: text/plain; charset=“iso-8859-1”
>
> Dear Bro Developer and contributer
> I have been working on IDS and Data Mining .I would like to know the current
> research in this area that IDS using Data Mining and what are the current
> reseach areas and objectives where Data Mining can provide solutions to IDS?
>
> –
> Regards
> SUMAN KUMAR NANDI
> HOD-Computer Applications
> Chitkara University, Punjab
> India
> Mobile:+919501105658
> -------------- next part --------------
> An HTML attachment was scrubbed…
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110530/8ae49156/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Mon, 30 May 2011 03:22:08 -0400
> From: Song Zhao sxz135@case.edu
> Subject: Re: [Bro] handle out of order and retransmitted packets in
> offline trace
> To: Vern Paxson vern@icir.org
> Cc: bro@bro-ids.org, Ruoming Pang rpang@cs.princeton.edu
> Message-ID: BANLkTi=3WDaWZ2sT8TcPvOM=ifG8zJPC=w@mail.gmail.com
> Content-Type: text/plain; charset=“iso-8859-1”
>
> Hi,
>
> In the 12G rewritten trace, the port numbers range widely. http-rewriter.bro
> loads http-reply.bro,which loads http-request.bro,which loads http.bro. The
> codes about filteration in these policy scripts are as follows:
>
> In http-request.bro:
> redef capture_filters += {
> [“http-request”] = “tcp dst port 80 or tcp dst port 8080 or tcp dst port
> 8000”
> };
> In http-reply.bro:
> redef capture_filters += {
> [“http-reply”] = “tcp src port 80 or tcp src port 8080 or tcp src port
> 8000”
> };
> In http.bro:
> # DPM configuration.
> global http_ports = {
> 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
> 8000/tcp, 8080/tcp, 8888/tcp,
> };
> redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] };
> redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] };
>
> Any of them sets DPD on? If not, why the port numbers in the rewritten trace
> range so widely, which range much more widely than the range of global
> http_ports?
> I didn’t load dpd.bro anywhere. After checking the payloads roughly, as far
> as I found, they all contain HTTP requests or responses. I mean they are
> really “HTTP streams” whatever the port number is.
>
> Thanks
> Song Zhao
>
> On Fri, May 27, 2011 at 4:43 PM, Vern Paxson vern@icir.org wrote:
>
> > > I also tried ./bro -r readfile -A writerfile http-rewriter.bro, whose
> > > results seem to be the same as those of ./bro -r readfile
> > http-rewriter.bro
> > > -A writefile. And is there any difference of the resulting trace between
> > > using -A and - w for http-rewriter.bro?
> >
> > If you specify both, then you get the untransformed trace in the -w file
> > and the transformed one in -A. If you specify just one, then that’s the
> > transformed file.
> >
> > > Does http-rewriter.bro by default use DPD to find http streams intead of
> > > port numbers?
> >
> > I don’t know. But you can avoid this question by just wiring in the
> > ports of interest into the initialization of capture_filters in
> > http-reply.bro.
> >
> > > Interestingly, majority of
> > > them are port 20480.
> >
> > Note, 20480 = 80 but little endian. This suggests either a bug in how
> > you’re viewing the port numbers, or in how Bro is displaying (or possibly
> > processing them).
> >
> > Vern
> >
> -------------- next part --------------
> An HTML attachment was scrubbed…
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110530/005188f5/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> End of Bro Digest, Vol 61, Issue 16
> ***********************************

|