Skip to main content
Springer Nature Link
Log in

A Fast Host-Based Intrusion Detection System Using Rough Set Theory

  • Conference paper
Transactions on Rough Sets IV

Part of the book series: Lecture Notes in Computer Science ((TRS,volume 3700))

  • 559 Accesses

Abstract

Intrusion Detection system has become the main research focus in the area of information security. Last few years have witnessed a large variety of technique and model to provide increasingly efficient intrusion detection solutions. We advocate here that the intrusive behavior of a process is highly localized characteristics of the process. There are certain smaller episodes in a process that make the process intrusive in an otherwise normal stream. As a result it is unnecessary and most often misleading to consider the whole process in totality and to attempt to characterize its abnormal features. In the present work we establish that subsequences of reasonably small length of sequence of system calls would suffice to identify abnormality in a process. We make use of rough set theory to demonstrate this concept. Rough set theory also facilitates identifying rules for intrusion detection. The main contributions of the paper are the following- (a) It is established that very small subsequence of system call is sufficient to identify intrusive behavior with high accuracy. We demonstrate our result using DARPA’98 BSM data; (b) A rough set based system is developed that can extract rules for intrusion detection; (c) An algorithm is presented that can determine the status of a process as either normal or abnormal on-line.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. An, A., Huang, Y., Huang, X., Cercone, N.J.: Feature selection with rough sets for web page classification. In: Peters, J.F., Skowron, A., Dubois, D., GrzymaÅ‚a-Busse, J.W., Inuiguchi, M., Polkowski, L. (eds.) Transactions on Rough Sets II. LNCS, vol. 3135, pp. 1–13. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  2. Bace, R., Mell, P.: NIST special publication on intrusion detection system. SP800-31, NIST, Gaithersburg, MD (2001)

    Google Scholar 

  3. Bazan, J.: A Comparison of Dynamic and non-Dynamic Rough Set Methods for Extracting Laws from Decision Tables. In: Skowron, A., Polkowski, L. (eds.) Rough Sets in Knowledge Discovery, vol. 1, pp. 321–365. Physica, Heidelberg (1998)

    Google Scholar 

  4. Bazan, J., Nguyen, H.S., Nguyen, S.H., Synak, P., Wróblewski, J.: Rough set algorithms in classification problem. In: Polkowski, L., Tsumoto, S., Lin, T.Y. (eds.) Rough Set Methods and Applications, pp. 49–88. Physica, Heidelberg (2000)

    Google Scholar 

  5. Bazan, J.G., Szczuka, M.S., Wróblewski, J.: A new version of rough set exploration system. In: Alpigini, J.J., Peters, J.F., Skowron, A., Zhong, N. (eds.) RSCTC 2002. LNCS (LNAI), vol. 2475, pp. 397–404. Springer, Heidelberg (2002), Available at, http://logic.mimuw.edu.pl/~rses/

  6. Cabrera, J.B.D., Ravichandran, B., Mehra, R.K.: Detection and classification of intrusions and faults using sequences of system calls. In: ACM SIGMOD Record, Special Issue: Special Section on Data Mining for Intrusion Detection and treat Analysis, vol. 30(4), pp. 25–34 (2001)

    Google Scholar 

  7. Cai, Z., Guan, X., Shao, P., Peng, Q., Sun, G.: A Rough Set Theory Based Method for Anomaly intrusion Detection in Computer Network Systems. J. Expert System 20(5), 251–259 (2003)

    Article  Google Scholar 

  8. Cios, K., Pedrycz, W., Swiniarski Roman, W.: Data mining methods for Knowledge discovery. Kluwer Academic Publisher, USA (2000)

    Google Scholar 

  9. DARPA 1998 Data Set, MIT Lincoln Laboratory (1998), available at, http://www.ll.mit.edu/IST/ideval/data/data_index.html

  10. Delic, D., Lenz H.-J., Neiling, M.: Improving the Quality of Association Rule Mining by Means of Rough Sets. In: Proceedings of the First International Workshop on Soft Methods in Probability and Statistics (SMPS 2002), Warsaw, Poland (2002)

    Google Scholar 

  11. Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer Immunology. Communications of the ACM 40(10), 88–96 (1997)

    Article  Google Scholar 

  12. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)

    Google Scholar 

  13. Garvey, T., Lunt, T.F.: Model-based Intrusion Detection. In: Proceedings of the 14th National Computer Security Conference, pp. 372–385 (1991)

    Google Scholar 

  14. Grzymala-Busse, J.W.: A New Version of the Rule Induction System LERS. Fundamenta Informaticae 31(1), 27–39 (1997)

    MATH  MathSciNet  Google Scholar 

  15. Guan, J.W., Bell, D.A., Liu, D.Y.: The Rough Set Approach to Association Rule Mining. In: Proceedings of the Third IEEE International Conference on Data Mining, ICDM 2003 (2003)

    Google Scholar 

  16. Helman, P., Liepins, G.: Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transactions on Software Engineering 19(9), 886–901 (1993)

    Article  Google Scholar 

  17. Hofmeyr, S.A., Forrest, A., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)

    Google Scholar 

  18. Ilgun, K.: USTAT: A Real-Time Intrusion Detection System for UNIX. In: Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pp. 16–28 (1993)

    Google Scholar 

  19. Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)

    Article  Google Scholar 

  20. Kemmerer, R.A.: NSTAT: A Model-based Real-time Network Intrusion Detection System. Technical Report, Number TRCS97-18, Computer Science, University of California, Santa Barbara (1998)

    Google Scholar 

  21. Kumar, S., Spafford, E.: A Pattern-Matching Model for Intrusion Detection. In: Proceedings National Computer Security Conference, pp. 11–21 (1994)

    Google Scholar 

  22. Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: Proceedings of the AAAI 1997 workshop on AI methods in Fraud and risk management, pp. 50–56. AAAI Press, Menlo Park (1997)

    Google Scholar 

  23. Lee, W., Stolfo Salvatore, J.: Data Mining Approaches for Intrusion Detection. In: Proceedings of the 7th USENIX Security Symposium (SECURITY 1998), Usenix Association, January 26-29, pp. 79–94 (1998)

    Google Scholar 

  24. Lian-hua, Z., Guan-hua, Z., Yu, L., Jie, Z., Ying-cai, B.: Intrusion Detection Using Rough Set Classification. Journal of Zhejiang University SCIENCE 5(9), 1076–1086 (2004)

    Article  Google Scholar 

  25. Lin, T.Y.: Anomaly Detection: A Soft Computing Approach. In: Proceedings of the 1994 Workshop on New Security Paradigms, Little Compton, Rhode Island, United States, pp. 44–53. IEEE Computer Society Press, Los Alamitos (1994)

    Chapter  Google Scholar 

  26. Lingras, P.: Rough Set Clustering for Web Mining. In: Proceedings of the IEEE International Conference on Fuzzy Systems 2002, Honolulu, Hawaii (2002)

    Google Scholar 

  27. Lunt, T.F.: Using Statistics to Track Intruders. In: Proceedings of the Joint Statistical Meetings of the American Statistical Association (1990)

    Google Scholar 

  28. Lunt, T.F., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P.G., Javitz, H.S., Valdes, A., Garvey, T.D.: A Real-Time Intrusion Detection Expert System (IDES) Technical Report, SRI Computer Science Laboratory (1992)

    Google Scholar 

  29. Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network Intrusion Detection. IEEE Network 8(3), 26–41 (1994)

    Article  Google Scholar 

  30. Mukkamala, R., Gagnon, J., Jajodia, S.: Integrating Data Mining Techniques with Intrusion detection Methods. In: Research Advances in database and Information System Security: IFIPTCII, 13th working conference on Database security. Kluwer Academic Publishers, USA (2000)

    Google Scholar 

  31. Pawlak, Z.: Rough sets: Theoretical aspects of reasoning about data. Kluwer Academic Publishers, Dordrecht (1991)

    MATH  Google Scholar 

  32. Porras, P.A.: STAT – A State Transition Analysis Tool For Intrusion Detection. Technical Report, Number TRCS93-25, Computer Science. University of California, Santa Barbara (1993)

    Google Scholar 

  33. Rawat, S., Gulati, V.P., Pujari, A.K.: Frequecy And Ordering Based Similarity Measure For Host Based Intrusion Detection. J. Information Management and Computer Security 12(5), 411–421 (2004)

    Article  Google Scholar 

  34. Sebring, M.M., Shellhouse, E., Hanna, M.E., Whitehurst, R.A.: Expert System in Intrusion Detection: A Case Study. In: Proceedings of the 11th National Computer Security Conference, pp. 74–81 (1988)

    Google Scholar 

  35. Stefanowski, J.: On Rough Set Based Approaches to Induction of Decision Rules. In: Polkowski, L., Skowron, A. (eds.) Rough Sets in Data Mining and Knowledge Discovery, vol. 1, pp. 500–529. Physica, Heidelberg (1998)

    Google Scholar 

  36. Tandon, G., Chan, P.: Learning Rules from System Calls Arguments and Sequences for Anomaly Detection. In: ICDM Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL, pp. 20–29 (2003)

    Google Scholar 

  37. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Modelss. In: IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  38. Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110–129. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  39. Zhu, D., Premkumar, G., Zhang, X., Chao-Hsien, C.: Data mining for Network Intrusion Detection: A comparison of alternative methods. J. Decision Sciences 32(4), 635–660 (2001)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. AI Lab, Dept. of Computer and Information Sciences, University of Hyderabad, Hyderabad, 500046, India

    Sanjay Rawat & Arun K. Pujari

  2. IDRBT, Castle Hills, Road No.1, Masab Tank, Hyderabad, 500057, India

    Sanjay Rawat & V. P. Gulati

Authors
  1. Sanjay Rawat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. V. P. Gulati
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Arun K. Pujari
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Electrical and Computer Engineering, University of Manitoba, R3T 5V6, Winnipeg, Manitoba, Canada

    James F. Peters

  2. Institute of Mathematics, Warsaw University, Banacha 2, 02-097, Warsaw, Poland

    Andrzej Skowron

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rawat, S., Gulati, V.P., Pujari, A.K. (2005). A Fast Host-Based Intrusion Detection System Using Rough Set Theory. In: Peters, J.F., Skowron, A. (eds) Transactions on Rough Sets IV. Lecture Notes in Computer Science, vol 3700. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11574798_8

Download citation

  • DOI: https://doi.org/10.1007/11574798_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29830-4

  • Online ISBN: 978-3-540-32016-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics