From: coastwatch-request@cs.purdue.edu
Greetings, all.
Several of our PhD students are researching advanced intrusion and anomaly
detection methods. None of these methods rely on looking at standard audit
trails or network traces. Instead, we're trying to do localized data
reduction and directed observation.
The good part of such research is that it will likely result in better
methods of intrusion detection. The downside is that we are having
difficulty getting "real" data of the kinds necessary to refine our results!
Enclosed is a request put together by one of the students working on one of
the projects. If any of you have data of the kind being sought and would be
willing to contribute it to our research, we would really appreciate it!
Please respond directly to Terran (email address below) if you can assist.
If your data can be shared with others, please let Terran know that too -- I
am certain he would be happy to share what he finds with others seeking the
same kinds of data.
--gene spafford
------- Forwarded Message
From: Terran Lane <terran@ecn.purdue.edu>
Call for Data
Purdue's MILLENNIUM Machine Learning Lab is currently engaged in
cooperative research with the Purdue CERIAS to develop machine
learning techniques for the anomaly detection problem [1,2]. To date,
we have developed a number of promising techniques for this domain,
and have demonstrated the effectiveness of our methods in
distinguishing different valid system users under normal working
conditions [3-8]. To truly evaluate the utility of our techniques,
however, it is critical to examine their performance with respect to
instances of real attacks, misuses, and abuses. Unfortunately, we do
not currently have access to such data. We are, therefore, requesting
the donation of audit data recording known hostile actions for the
purposes of profiling research codes and methods. Although it would
be valuable to make such data available to the research community at
large, we are aware of the private and sensitive nature of such data
and are willing to accept non-disclosure terms and/or sanitized data.
While we are interested in all facets of this problem and all audit
data recording genuine incidents is valuable, the most useful examples
will meet the following criteria:
- The data originates from a source close to the user interface level.
Desired data sources, in order of utility to our current research
directions, are:
* Command line interface traces
* Audit trails of command invocations (preferably with flags,
environment, etc.)
* GUI event traces
* Network packet logs
* System call traces
- Labels, tags, descriptions, or other methods will be available to
clearly distinguish data generated during the anomalous event from
normal system usage.
In addition, a quantity of known non-hostile data drawn from the same
system or systems near the time of the security incidents will be
necessary to calibrate detection systems under normal operating
conditions and to demonstrate differentiation ability.
References:
[1] Anderson, J. P., Computer security threat monitoring and
surveillance. Technical Report, James P. Anderson Co.,
Washington PA, 1980.
[2] Denning, D. E., An intrusion-detection model. IEEE Transactions on
Software Engineering, 13(2), pp 222-232, 1987.
[3] Lane, T. and Brodley, C. E., Detecting the abnormal: Machine learning
in computer security. Technical Report TR-ECE 97-1, Purdue
University School of Electrical and Computer Engineering, West
Lafayette IN, 1997.
[4] Lane, T. and Brodley, C. E., An application of machine learning to
anomaly detection. In National Information Systems Security
Conference, Baltimore MD, 1997.
[5] Lane, T. and Brodley, C. E., Sequence matching and learning in
anomaly detection for computer security. In Proceedings of
AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk
Management, 1997.
[6] Lane, T. and Brodley, C. E., Approaches to Online Learning and
Concept Drift for User Identification in Computer Security.
In Proceedings of the Fourth International Conference on
Knowledge Discovery and Data Mining, 1998.
[7] Lane, T., Filtering Techniques for Rapid User Classification.
In Proceedings of the AAAI-98/ICML-98 Joint Workshop on AI
Approaches to Time-series Analysis, 1998.
[8] Lane, T. and Brodley, C. E., Temporal Sequence Learning and Data
Reduction for Anomaly Detection. In Proceedings of the Fifth
ACM Conference on Computer and Communications Security, 1998
(to appear).
--
Terran Lane email=terran@ecn.purdue.edu
WWW=http://mow.ecn.purdue.edu/~terran/
PGP key=http://mow.ecn.purdue.edu/~terran/facts/pgp_key.html
"But I don't want to go among mad people," Alice remarked.
"Oh, you can't help that," said the Cat: "we're all mad here. I'm mad.
You're mad."
"How do you know I'm mad?" said Alice.
"You must be," said the Cat, "or you wouldn't have come here."
------- End of Forwarded Message
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Oct 26 12:16:54 1998