Intrusion detection is an essential component of critical infrastructure protection mechanism. Since many current IDSs are constructed by manual encoding of expert knowledge, it is time-consuming to update their knowledge. In order to solve this problem, an effective method for misuse intrusion detection with low cost and high efficiency is presented. This paper gives an overview of our research in building a detection model for identifying known intrusions, their variations and novel attacks with unknown natures. The method is based on rough set theory and capable of extracting a set of detection rules from network packet features. After getting a decision table through preprocessing raw packet data, rough-set-based reduction and rule generation algorithms are applied, and useful rules for intrusion detection are obtained. In addition, a rough set and rule-tree-based incremental knowledge acquisition algorithm is presented in order to solve problems of updating rule set when new attacks appear. Compared with other methods, our method requires a smaller size of training data set and less effort to collect training data. Experimental results demonstrate that our system is effective and more suitable for online intrusion detection.
One main technical means of anti-Spam is to build filters in email transfer route. However, the design of many junk mail filters hasn't made use of the whole security information in an email, which exists mostly in mail header rather than in the text and accessory. In this paper, data mining based on rough sets is introduced to design a new anti-Spam filter. Firstly, by recording and analyzing the header of every collected email sample, we get all necessary original raw data. Next, by selecting and computing features from the original header data, we obtain our decision table including several condition attributes and one decision attribute. Then, a data mining technique based on rough sets, which mainly includes relative reduction and rule generation, is introduced to mine this decision table. And we obtain some useful anti-Spam knowledge from all the email headers. Finally, we have made tests by using our rules to judge different mails. Tests demonstrate that when mining on selected baleful email corpus with specific Spam rate, our anti-Spam filter has high efficiency and high identification rate. By mining email headers, we can find potential security problems of some email systems and cheating methods of Spam senders.