We introduce an algorithm called LERAD that learns rules for finding rare events in nominal time-series data with long range dependencies. We use LERAD to find anomalies in network packets and TCP sessions to detect novel intrusions. LERAD outperforms the original participants in the 1999 DARPA/Lincoln Laboratory intrusion detection evaluation, and detected most attacks that eluded a firewall in a university departmental server environment.
Mahoney, M.V., Chan, P.K. (2003). Learning rules for anomaly detection of hostile network traffic (CS-2003-16). Melbourne, FL. Florida Institute of Technology.