Developing Cyberspace Data Understanding: Using CRISP-DM for Host-based IDS Feature Mining

Author

Joseph R. Erskine

Date of Award

3-10-2010

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Gilbert L. Peterson, PhD

Abstract

Current intrusion detection systems generate a large number of specific alerts, but do not provide actionable information. Many times, these alerts must be analyzed by a network defender, a time consuming and tedious task which can occur hours or days after an attack occurs. Improved understanding of the cyberspace domain can lead to great advancements in Cyberspace situational awareness research and development. This thesis applies the Cross Industry Standard Process for Data Mining (CRISP-DM) to develop an understanding about a host system under attack. Data is generated by launching scans and exploits at a machine outfitted with a set of host-based data collectors. Through knowledge discovery, features are identified within the data collected which can be used to enhance host-based intrusion detection. By discovering relationships between the data collected and the events, human understanding of the activity is shown. This method of searching for hidden relationships between sensors greatly enhances understanding of new attacks and vulnerabilities, bolstering our ability to defend the cyberspace domain.

AFIT Designator

AFIT-GCS-ENG-10-01

DTIC Accession Number

ADA518837

Recommended Citation

Erskine, Joseph R., "Developing Cyberspace Data Understanding: Using CRISP-DM for Host-based IDS Feature Mining" (2010). Theses and Dissertations. 1996.
https://scholar.afit.edu/etd/1996