Adaptive Datamining of Internet Traffic Episodes for Anomaly Detection*

A new Internet traffic datamining technique is presented for generating frequent episode rules (FER). Adaptive base-support threshold is applied to different axis attributes in these rules. We use the rules to build anomaly-based, network intrusion detection systems (NIDS). The episode rules detect anomalous sequences of TCP, UDP, or ICMP connections. Three new pruning techniques are devised to reduce the rule search space by 70% in our benchmark experiments. Testing our scheme over real-life Internet trace data collected at USC mixed with 10 days of MIT/LL attack data, we encountered 20 or less false alarms over 200 network attacks. We detect with a success rate of 47% of all unknown network attacks. These results show a 51% improvement over the NIDS built with association rules, exclusively. The new adaptive method detects many unknown network attacks embedded in Internet services like telnet, http, ftp, smtp, Email, authentication, etc.