PLAN OF THE BOOK
Chapter 1: Introduction to Data Warehousing and Data Mining
This chapter introduces the concepts and basic vocabulary of data
warehousing and data mining.
Chapter 2: Introduction to Cyber Security
This chapter discusses the basic concepts of security in networks, denial of
service attacks, network security controls, computer virus and worms
Chapter 3: Intrusion Detection Systems
This chapter provides an overview of the state of art in Intrusion Detection
Systems and their shortcomings.
Chapter 4: Data Mining for Intrusion Detection
It shows how data mining techniques can be applied to Intrusion Detection.
It gives a survey of different research projects in this area and possible
directions for future research.
Chapter 5: Data Modeling and Data Warehousing to Improve IDS
This chapter demonstrates how a multidimensional data model can be used
to do network security analysis and detect denial of service attacks. These
techniques have been implemented in a prototype system that is being
successfully used at Army Research Labs. This system has helped the
security analyst in detecting intrusions and in historical data analysis for
generating reports on trend analysis.
Chapter 6: MINDS: Architecture and Design
It provides an overview of the Minnesota Intrusion Detection System
(MINDS) that uses a set of data mining techniques to address different
aspects of cyber security.
Chapter 7: Discovering Novel Strategies from INFOSEC Alerts
This chapter discusses an advanced correlation system that can reduce alarm
redundancy and provide information on attack scenarios and high level
attack strategies for large networks.

TABLE OF CONTENTS
Chapter 1: An Overview of Data Warehouse, OLAP and
Data Mining Technology 1
l.Motivationfor a Data Warehouse 1
2.A Multidimensional Data Model 3
3.Data Warehouse Architecture 6
4. Data Warehouse Implementation 6
4.1 Indexing of OLAP Data 7
4.2 Metadata Repository 8
4.3 Data Warehouse Back-end Tools 8
4.4 Views and Data Warehouse 10
5.Commercial Data Warehouse Tools 11
6.FromData Warehousing to Data Mining 11
6.1 Data Mining Techniques 12
6.2 Research Issues in Data Mining 14
6.3 Applications of Data Mining 14
6.4 Commercial Tools for Data Mining 15
7.Data Analysis Applications for NetworkyWeb Services 16
7.1 Open Research Problems in Data Warehouse 19
7.2 Current Research in Data Warehouse 21
8.Conclusions 22
Chapter 2: Network and System Security 25
1. Viruses and Related Threats 26
1.1 Types of Viruses 27
1.2 Macro Viruses 27
1.3 E-mail Viruses 27
1.4 Worms 28
1.5 The Morris Worm 28
1.6 Recent Worm Attacks 28
1.7 Virus Counter Measures 29
2. Principles of Network Security 30
2.1 Types of Networks and Topologies 30
2.2 Network Topologies 31
3.Threats in Networks 31
4.Denial of Service Attacks 33
4.1 Distributed Denial of Service Attacks 34
4.2 Denial of Service Defense Mechanisms 34
5.Network Security Controls 36
6. Firewalls 38
6.1 What they are 38
6.2 How do they work 39
6.3 Limitations of Firewalls 40
7.Basics of Intrusion Detection Systems 40
8. Conclusions 41
Chapter 3: Intrusion Detection Systems 43
l.Classification of Intrusion Detection Systems 44
2.Intrusion Detection Architecture 48
3.IDS Products 49
3.1 Research Products 49
3.2 Commercial Products 50
3.3 Public Domain Tools 51
3.4 Government Off-the Shelf (GOTS) Products 53
4. Types of Computer Attacks Commonly Detected by IDS 53
4.1 Scanning Attacks 53
4.2 Denial of Service Attacks 54
4.3 Penetration Attacks 55
5.Significant Gaps and Future Directions for IDS 55
6. Conclusions 57
Chapter 4: Data Mining for Intrusion Detection 59
1. Introduction 59
2.Data Mining for Intrusion Detection 60
2.1 Adam 60
2.2 Madam ID 63
2.3 Minds 64
2.4 Clustering of Unlabeled ID 65
2.5 Alert Correlation 65
3.Conclusions and Future Research Directions 66
Chapter 5: Data Modeling and Data Warehousing Techniques
to Improve Intrusion Detection 69
1. Introduction 69
2. Background 70
3.Research Gaps 72
4.A Data Architecture for IDS 73
5. Conclusions 80
Chapter 6: MINDS - Architecture & Design 83
1. MINDS- Minnesota Intrusion Detection System 84
2. Anomaly Detection 86
3. Summarization 90
4. Profiling Network Traffic Using Clustering 93
5. Scan Detection 97
6. Conclusions 105
7. Acknowledgements 105
Chapter 7: Discovering Novel Attack Strategies from
INFOSEC Alerts 109
1. Introduction 110
2. Alert Aggregation and Prioritization 112
3. Probabilistic Based Alert Correlation 116
4. Statistical Based Correlation 122
5. Causal Discovery Based Alert Correlation 129
6. Integration of three Correlation Engines 136
7. Experiments and Performance Evaluation 140
8. Related Work 150
9. Conclusion and Future Work 153
Index 159