Intrusion Detection through Behavioral Data

Gunetti, Daniele; Ruffo, Giancarlo

doi:10.1007/3-540-48412-4_32

Daniele Gunetti⁷ &
Giancarlo Ruffo⁷

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 1642))

Included in the following conference series:

International Symposium on Intelligent Data Analysis

723 Accesses
10 Citations

Abstract

We present an approach to the problem of detecting intrusions in computer systems through the use behavioral data produced by users during their normal login sessions. In fact, attacks may be detected by observing abnormal behavior, and the technique we use consists in associating to each system user a classifier made with relational decision trees that will label login sessions as “legals” or as “intrusions”. We perform an experimentation for 10 users, based on their normal work, gathered during a period of three months.We obtain a correct user recognition of 90%, using an independent test set. The test set consists of new, previously unseen sessions for the users considered during training, as well as sessions from users not available during the training phase. The obtained performance is comparable with previous studies, but (1) we do not use information that may effect user privacy and (2) we do not bother the users with questions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 99.00; Price excludes VAT (USA)

Softcover Book: USD 129.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

F. Bergadano and G. Ruffo. ReliC: a Relational Learner Using Decision Trees. Technical Report, Dept. of CS, University of Turin, 1998.
Google Scholar
F. Bergadano, B. Crispo, and G. Ruffo. High Dictionary Compression for Proactive Password Checking. In ACM Transactions on Information and System Security, 1(1), 1998.
Google Scholar
F. Bergadano and D. Gunetti. Inductive Logic Programming: from Machine Learning to Software Engineering. MIT Press, 1996.
Google Scholar
H. Blockeel and L. De Raedt. Lookahead and Discretization in ILP. In Proceedings of the 7th International Workshop on Inductive Learning Programming, Springer Verlag, 1997.
Google Scholar
M. Brown and J. Rogers. User identification via keystroke characteristics of typed names using neural networks. Int. J. of Man Machine Studies, 39:999–1014, 1993.
Article Google Scholar
M. Crosbie. Applying genetic programming to intrusion detection. In Proceedings of AAAI Fall Symposium on Genetic Programming, 1995.
Google Scholar
J. Frank. Artificial Intelligence and Intrusion Detections: current and future directions. In Proceedings of 17th National Computer Security Conference, 1994.
Google Scholar
S. Furnell, P. W. Sanders, and C. T. Stockel. The use of keystroke analysis for continuous user identity verification and supervision. MediaComm, 1995.
Google Scholar
A. P. Kosoresow and S. A. Hofmeyr. Intrusion Detection via System Call Traces. IEEE Software, pages 35–42, 1997.
Google Scholar
W. Lee and S. J. Stolfo. Data Mining Approaches to Intrusion Detection. In Proceedings of 7th Usenix Security Symposium, 1998.
Google Scholar
J. Leggett, G. Williams, and M. Usnick. Dynamic identity verification via keystroke characteristics. Int. J. of Man Machine Studies, 35:859–870, 1991.
Article Google Scholar
F. Monrose and A. Rubin. Authentication via Keystroke Dynamics. In Proceedings od ACM Computer and Communication Security Conference, pages 48–56, 1997.
Google Scholar
P. A. Porras and P. G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997 National Information Systems Security Conference, 1997.
Google Scholar
J. R. Quinlan. Induction of Decision Trees. Machine Learning, 1:81–106, 1986.
Google Scholar
J. R. Quinlan. C4.5: Programs for Machine Learning. Morgan Kaufmann, San Mateo, CA, 1993.
Google Scholar
S. P. Shieh and V. D. Gligor. On a Pattern-Oriented Model for Intrusion Detection. IEEE Trans. on KDE, 9(4):661–667, 1997.
Google Scholar
M. Sobirey, B. Richter, and H. Konig. The intrusion detection system AID. architecture, and experiences in automated audit analysis. In Proceedings of IFIP TC6/TC11 International Conference on Communications and Multimedia Security, pages 278–290, 1996.
Google Scholar

Download references

Author information

Authors and Affiliations

Dept. of Computer Science, University of Torino, corso Svizzera 185, 10149, Torino, Italy
Daniele Gunetti & Giancarlo Ruffo

Authors

Daniele Gunetti
View author publications
You can also search for this author in PubMed Google Scholar
Giancarlo Ruffo
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Mathematics, Imperial College, Huxley Building 180 Queen’s Gate, London, SW7 2BZ, UK
David J. Hand
Leiden Institute for Advanced Computer Science, Leiden University, 2300, RA Leiden, The Netherlands
Joost N. Kok
Berkeley Initiative in Soft Computing, University of California at Berkeley, 329 Soda Hall, Berkeley, CA, 94720, USA
Michael R. Berthold

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Gunetti, D., Ruffo, G. (1999). Intrusion Detection through Behavioral Data. In: Hand, D.J., Kok, J.N., Berthold, M.R. (eds) Advances in Intelligent Data Analysis. IDA 1999. Lecture Notes in Computer Science, vol 1642. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48412-4_32

Download citation

DOI: https://doi.org/10.1007/3-540-48412-4_32
Published: 08 July 1999
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66332-4
Online ISBN: 978-3-540-48412-7
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics