The Minnesota Intrusion Detection System (MINDS) is a data mining based system for detecting network intrusions. A prototype of the MINDS system is being used by the University of Minnesota network security analysts in a live system organized as illustrated in the figure below. Input to MINDS is collected using net-flow tools that collect packet information for ten-minute windows and store the information in a flat file. Before the analyst uses MINDS to process the files in batch mode, these files are filtered to remove information that is not interesting for intrusion analysis.

Figure 1: Architecture of MINDS system

The first step in MINDS is the construction of features that are used in the data mining analysis. Basic features available directly from net-flow data include source IP address, source port, destination IP address, destination port, protocol, flags, number of bytes, and number of packets. Derived features include time-window and connection-window based features. Time-window based features are constructed to capture connections with similar characteristics in the last T seconds, since typically Denial of Service (DoS) and scanning attacks involve hundreds of connections in short time intervals. However, some scanning attacks scan the hosts (or ports) using a much larger time interval, for example once per hour. In order to detect such slow scans we also need to keep statistics for the last N connections generated from every source. We refer to these as the connection-window based features.

After the feature construction step, the known attack detection module is used to detect network connections that correspond to attacks for which the signatures are available, and then to remove them from further analysis. Next, the data is fed into the MINDS anomaly detection module that uses an outlier detection algorithm to assign an anomaly score to each network connection. The output of the MINDS anomaly detector contains the original net-flow data along with the anomaly score and relative contribution of each of the 16 attributes used by the anomaly detection algorithm.

The human analyst investigates reported network connections with high anomaly scores through MINDSAT (MINDS AnalystTool), a PHP-based analysis engine used to search and process a database of network connections. In addition, the MINDS association pattern analysis module provides another high-level summary of network connections that are ranked highly anomalous in the anomaly detection module. These summaries allow a human analyst to examine a large number of anomalous connections quickly. Furthermore, this summarization has the advantage of providing templates from which signatures of novel attacks can be built for augmenting the database of signature-based intrusion detection systems.

The University of Minnesota network security analyst has been using MINDS to analyze the university network traffic since August 2002. During this period, MINDS has been successful in detecting many novel network attacks and emerging network behavior that could not be detected using state-of-the-art intrusion detection systems such as SNORT.

-Vipin Kumar, Aleksander Lazarevic, Jaideep Srivastava