Abstract
An intrusion detection system (IDS) usually has to analyse Giga-bytes of audit information. In the case of anomaly IDS, the information is used to build a user profile characterising normal behaviour. Whereas for misuse IDSs, it is used to test against known attacks. Probabilistic methods, e.g. hidden Markov models, have proved to be suitable to profile formation but are prohibitively expensive. To bring these methods into practise, this paper aims to reduce the audit information by folding up subsequences that commonly occur within it. Using n-grams language models, we have been able to successfully identify the n-grams that appear most frequently. The main contribution of this paper is a n-gram extraction and identification process that significantly reduces an input log file keeping key information for intrusion detection. We reduced log files by a factor of 3.6 in the worst case and 4.8 in the best case. We also tested reduced data using hidden Markov models (HMMs) for intrusion detection. The time needed to train the HMMs is greatly reduced by using our reduced log files, but most importantly, the impact on both the detection and false positive ratios are negligible.
This research is supported by three research grants CONACyT 33337-A, CONACyT-DLR J200.324/2003 and ITESM CCEM-0302-05
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)
Yeung, D., Ding, Y.: Host-Based Intrusion Detection Using Dynamic and Static Behavioral Models. Pattern Recognition 36, 229–243 (2003)
Godínez, F., Hutter, D., Monroy, R.: Attribute Reduction for Effective Intrusion Detection. In: Favela, J., Menasalvas, E., Chávez, E. (eds.) AWIC 2004. LNCS (LNAI), vol. 3034, pp. 74–83. Springer, Heidelberg (2004)
Godínez, F., Hutter, D., Monroy, R.: Service discrimination and audit file reduction for effective intrusion detection. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 99–113. Springer, Heidelberg (2005)
Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)
Maxion, R.A., Tan, K.M.C.: Anomaly Detection in Embedded Systems. IEEE Transactions on Computers 51, 108–120 (2002)
Maxion, R.A., Tan, K.M.C.: Benchmarking Anomaly-Based Detection Systems. In: Proceedings of the 1st International Conference on Dependable Systems and Networks, pp. 623–630. IEEE Computer Society Press, Los Alamitos (2000)
Marceau, C.: Characterizing the Behavior of a Program Using Multiple-Length Ngrams. In: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 101–110. ACM Press, New York (2000)
Wespi, A., Dacier, M., Debar, H.: An Intrusion-Detection System Based on the Teiresias Pattern-Discovery Algorithm. In: Gattiker, U.E., Pedersen, P., Petersen, K. (eds.) Proceceedings of EICAR 1999 (1999)
Marin, J.A., Ragsdale, D., Surdu, J.: A Hybrid Approach to Profile Creation and Intrusion Detection. In: Proc. of DARPA Information Survivability Conference and Exposition, IEEE Computer Society, Los Alamitos (2001)
Lane, T., Brodley, C.E.: Temporal Sequence Learning and Data Reduction for Anomaly Detection. ACM Transactions on Information and System Security 2, 295–331 (1999)
Lane, T., Brodley, C.E.: Data Reduction Techniques for Instance-Based Learning from Human/Computer Interface Data. In: Proceedings of the 17th International Conference on Machine Learning, pp. 519–526. Morgan Kaufmann, San Francisco (2000)
Knop, M.W., Schopf, J.M., Dinda, P.A.: Windows Performance Monitoring and Data Reduction Using WatchTower and Argus. Technical Report NWU-CS-01-6, Department of Computer Science, Northwestern University (2001)
Rencher, A.: Methods in Multivariate Analysis. Wiley & Sons, New York (1995)
Krogh, A., Brown, M., Mian, I.S., Sjölander, K., Haussler, D.: Hidden Markov Models in Computational Biology: Applications to Protein Modeling. Journal Molecular Biology 235, 1501–1531 (1994)
Hughey, R., Krogh, A.: Hidden Markov Models for Sequence Analysis: Extension and Analysis of Basic Method. Comp. Appl. BioSci. 12, 95–108 (1996)
Young, S., Evermann, G., Kershaw, D., Moore, G., Odell, J., Ollason, D., Povey, D., Valtchev, V., Woodland, P.: The HTK Book for HTK Version 3.2. Cambridge University Engineering Department (2002)
Qiao, Y., Xin, X., Bin, Y., Ge, S.: Anomaly Intrusion Detection Method Based on HMM. Electronic Letters 38, 663–664 (2002)
Wagner, D., Soto, P.: Mimicry Attacks on Host Based Intrusion Detection Systems. In: Proceedings of the Ninth ACM Conference on Computer and Communications Security, Washington, DC, USA, ACM, pp. 255–265 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Godínez, F., Hutter, D., Monroy, R. (2005). On the Role of Information Compaction to Intrusion Detection. In: Ramos, F.F., Larios Rosillo, V., Unger, H. (eds) Advanced Distributed Systems. ISSADS 2005. Lecture Notes in Computer Science, vol 3563. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11533962_9
Download citation
DOI: https://doi.org/10.1007/11533962_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28063-7
Online ISBN: 978-3-540-31674-9
eBook Packages: Computer ScienceComputer Science (R0)