Enhancing profiles for anomaly detection using time granularities

Recently, association rules have been used to generate profiles of normal behavior for anomaly detection. However, the time factor (especially in terms of multiple time granularities) has not been utilized extensively in generation of these profiles. In reality, user behavior during different time intervals may be very different. For example, the normal number and duration of FTP connections may vary from working hours to midnight, from business day to weekend or holiday. Furthermore, these variations may depend on the day of the month or the week. This paper proposes to build profiles using temporal association rules in terms of multiple time granularities, and describes algorithms to discover these profiles. Because multiple time granularities are used for the profile generation, the proposed method is more flexible and precise than previous methods that use fixed partition of time intervals. Finally, the paper describes an experiment and its preliminary result on TCP-dump data.