Abstract
We present an approach to the problem of detecting intrusions in computer systems through the use behavioral data produced by users during their normal login sessions. In fact, attacks may be detected by observing abnormal behavior, and the technique we use consists in associating to each system user a classifier made with relational decision trees that will label login sessions as “legals” or as “intrusions”. We perform an experimentation for 10 users, based on their normal work, gathered during a period of three months.We obtain a correct user recognition of 90%, using an independent test set. The test set consists of new, previously unseen sessions for the users considered during training, as well as sessions from users not available during the training phase. The obtained performance is comparable with previous studies, but (1) we do not use information that may effect user privacy and (2) we do not bother the users with questions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
F. Bergadano and G. Ruffo. ReliC: a Relational Learner Using Decision Trees. Technical Report, Dept. of CS, University of Turin, 1998.
F. Bergadano, B. Crispo, and G. Ruffo. High Dictionary Compression for Proactive Password Checking. In ACM Transactions on Information and System Security, 1(1), 1998.
F. Bergadano and D. Gunetti. Inductive Logic Programming: from Machine Learning to Software Engineering. MIT Press, 1996.
H. Blockeel and L. De Raedt. Lookahead and Discretization in ILP. In Proceedings of the 7th International Workshop on Inductive Learning Programming, Springer Verlag, 1997.
M. Brown and J. Rogers. User identification via keystroke characteristics of typed names using neural networks. Int. J. of Man Machine Studies, 39:999–1014, 1993.
M. Crosbie. Applying genetic programming to intrusion detection. In Proceedings of AAAI Fall Symposium on Genetic Programming, 1995.
J. Frank. Artificial Intelligence and Intrusion Detections: current and future directions. In Proceedings of 17th National Computer Security Conference, 1994.
S. Furnell, P. W. Sanders, and C. T. Stockel. The use of keystroke analysis for continuous user identity verification and supervision. MediaComm, 1995.
A. P. Kosoresow and S. A. Hofmeyr. Intrusion Detection via System Call Traces. IEEE Software, pages 35–42, 1997.
W. Lee and S. J. Stolfo. Data Mining Approaches to Intrusion Detection. In Proceedings of 7th Usenix Security Symposium, 1998.
J. Leggett, G. Williams, and M. Usnick. Dynamic identity verification via keystroke characteristics. Int. J. of Man Machine Studies, 35:859–870, 1991.
F. Monrose and A. Rubin. Authentication via Keystroke Dynamics. In Proceedings od ACM Computer and Communication Security Conference, pages 48–56, 1997.
P. A. Porras and P. G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997 National Information Systems Security Conference, 1997.
J. R. Quinlan. Induction of Decision Trees. Machine Learning, 1:81–106, 1986.
J. R. Quinlan. C4.5: Programs for Machine Learning. Morgan Kaufmann, San Mateo, CA, 1993.
S. P. Shieh and V. D. Gligor. On a Pattern-Oriented Model for Intrusion Detection. IEEE Trans. on KDE, 9(4):661–667, 1997.
M. Sobirey, B. Richter, and H. Konig. The intrusion detection system AID. architecture, and experiences in automated audit analysis. In Proceedings of IFIP TC6/TC11 International Conference on Communications and Multimedia Security, pages 278–290, 1996.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gunetti, D., Ruffo, G. (1999). Intrusion Detection through Behavioral Data. In: Hand, D.J., Kok, J.N., Berthold, M.R. (eds) Advances in Intelligent Data Analysis. IDA 1999. Lecture Notes in Computer Science, vol 1642. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48412-4_32
Download citation
DOI: https://doi.org/10.1007/3-540-48412-4_32
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66332-4
Online ISBN: 978-3-540-48412-7
eBook Packages: Springer Book Archive