This paper presents a data mining framework for building adaptive intrusion detection (ID) models. The framework uses auditing programs to extract features from network connections or host sessions and applies data mining techniques to learn rules that accurately capture intrusion and normal behavior. These rules are used for both misuse and anomaly detection. New detection models are incorporated into an existing IDS through a meta-learning process, which combines evidence from multiple models to produce a meta detection model. The framework leverages classification, meta-learning, association rules, and frequent episodes to analyze audit data and build detection models. The paper discusses the application of these techniques to the 1998 DARPA Intrusion Detection Evaluation Program. The framework is designed to be systematic and automated, allowing for the construction of adaptive IDSs by applying data mining tools to multiple streams of evidence from different detection modules. The framework includes programs for learning classifiers, association rules, and frequent episodes, as well as a support environment for interactive model construction and evaluation. The paper also describes experiments on building intrusion detection models using audit data from the DARPA evaluation program, and discusses the results of these experiments. The framework is shown to be effective in detecting various types of intrusions, including DOS, R2L, U2R, and PROBING attacks. The paper also discusses user anomaly detection by analyzing user command data and comparing it to a user's historical profile. The framework is shown to be effective in detecting anomalies in user behavior. The paper concludes with a discussion of related work and future research directions, including the development of network anomaly detection strategies and the translation of automatically learned detection rules into modules for real-time IDSs.This paper presents a data mining framework for building adaptive intrusion detection (ID) models. The framework uses auditing programs to extract features from network connections or host sessions and applies data mining techniques to learn rules that accurately capture intrusion and normal behavior. These rules are used for both misuse and anomaly detection. New detection models are incorporated into an existing IDS through a meta-learning process, which combines evidence from multiple models to produce a meta detection model. The framework leverages classification, meta-learning, association rules, and frequent episodes to analyze audit data and build detection models. The paper discusses the application of these techniques to the 1998 DARPA Intrusion Detection Evaluation Program. The framework is designed to be systematic and automated, allowing for the construction of adaptive IDSs by applying data mining tools to multiple streams of evidence from different detection modules. The framework includes programs for learning classifiers, association rules, and frequent episodes, as well as a support environment for interactive model construction and evaluation. The paper also describes experiments on building intrusion detection models using audit data from the DARPA evaluation program, and discusses the results of these experiments. The framework is shown to be effective in detecting various types of intrusions, including DOS, R2L, U2R, and PROBING attacks. The paper also discusses user anomaly detection by analyzing user command data and comparing it to a user's historical profile. The framework is shown to be effective in detecting anomalies in user behavior. The paper concludes with a discussion of related work and future research directions, including the development of network anomaly detection strategies and the translation of automatically learned detection rules into modules for real-time IDSs.