Machine Learning for Intrusion Detection

author: Pavel Laskov, Fraunhofer Institute for Intelligent Analysis and Information Systems
published: Nov. 26, 2007,   recorded: September 2007,   views: 17677


Related Open Educational Resources

Related content

Report a problem or upload files

If you have found a problem with this lecture or would like to send us extra material, articles, exercises, etc., please use our ticket system to describe your request and upload the data.
Enter your e-mail into the 'Cc' field, and we will keep you updated with your request's status.
Lecture popularity: You need to login to cast your vote.


Intrusion detection is one of core technologies of computer security. The goal of intrusion detection goal is identi cation of malicious activity in a stream of monitored data which can be network trac, operating system events or log entries. A majority of current intrusion detection systems (IDS) follows a signature-based approach in which, similar to virus scanners, events are detected that match speci c pre-de ned patterns known as \signatures". The main limitation of signature-based IDS is their failure to identify novel attacks, and sometimes even minor variations of known patterns. Besides, a signi cant administrative overhead is incurred by the need to maintain signature databases. Machine learning o ers a major opportunity to improve quality and to facilitate administration of IDS. Supervised learning can be used for automatic generation of detectors without a need to manually de ne and update signatures. Anomaly detection and other unsupervised learning techniques can detect new kinds of attacks provided they exhibit unusual character in some feature space. In our contribution, kernel and distance based learning algorithms for network intrusion detection will be presented. The two essential parts of our approach are online learning algorithms and feature extraction. The major requirements on the algorithmic part are linear run-time, online learning and data type abstraction. Simple but e ective anomaly detection algorithms will be presented that satisfy these requirements (1). Feature extraction algorithms can be reduced to computation of similarity measures between sequential objects. In order to access the feature from the application-layer network protocols, in which most of modern remote exploits operate, similarity measures are computed directly over byte streams of TCP connections. Algorithms and data structures will be presented that allow e- cient computation of similarity measures in linear time with very low run-time constants and memory consumption (2)

See Also:

Download slides icon Download slides: mmdss07_laskov_mlit_01.pdf (1.7┬áMB)

Help icon Streaming Video Help

Link this page

Would you like to put a link to this lecture on your homepage?
Go ahead! Copy the HTML snippet !

Write your own review or comment:

make sure you have javascript enabled or clear this field: