ABSTRACT
We present and empirically analyze a machine-learning approach for detecting intrusions on individual computers. Our Winnow-based algorithm continually monitors user and system behavior, recording such properties as the number of bytes transferred over the last 10 seconds, the programs that currently are running, and the load on the CPU. In all, hundreds of measurements are made and analyzed each second. Using this data, our algorithm creates a model that represents each particular computer's range of normal behavior. Parameters that determine when an alarm should be raised, due to abnormal activity, are set on a per-computer basis, based on an analysis of training data. A major issue in intrusion-detection systems is the need for very low false-alarm rates. Our empirical results suggest that it is possible to obtain high intrusion-detection rates (95%) and low false-alarm rates (less than one per day per computer), without "stealing" too many CPU cycles (less than 1%). We also report which system measurements are the most valuable in terms of detecting intrusions. A surprisingly large number of different measurements prove significantly useful.
- R. Agarwal & M. Joshi, PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection) Proc. First SIAM Intl. Conf. on Data Mining, 2001.Google Scholar
- J. Anderson, Computer Security Threat Monitoring and Surveillance, J. P. Anderson Company Technical Report, Fort Washington, PA, 1980.Google Scholar
- DARPA, Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems, DARPA Workshop Report, 1999.Google Scholar
- A. Ghosh, A. Schwartzbard, & M. Schatz, Learning Program Behavior Profiles for Intrusion Detection, USENIX Workshop on Intrusion Detection & Network Monitoring, April 1999. Google ScholarDigital Library
- T. Lane & C. Brodley, Approaches to Online Learning and Concept Drift for User Identification in Computer Security, Proc. KDD, pp 259--263, 1998.Google Scholar
- A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava & V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, Proc. SIAM Conf. Data Mining, 2003.Google Scholar
- W. Lee, S.J. Stolfo, and K. Mok, A Data Mining Framework for Building Intrusion Detection Models, Proc. IEEE Symp. on Security and Privacy, 1999.Google Scholar
- N. Littlestone, Learning Quickly When Irrelevant Attributes Abound. Machine Learning 2, pp. 285--318. Google ScholarDigital Library
- T. Lunt, A Survey of Intrusion Detection Techniques, Computers and Security 12:4, pp. 405--418, 1993. Google ScholarDigital Library
- T. Mitchell, Machine Learning, McGraw-Hill.Google Scholar
- P. Neumann, The Challenges of Insider Misuse, SRI Computer Science Lab Technical Report, 1999Google Scholar
- J. Shavlik & M. Shavlik, Final Project Report for DARPA's Insider Threat Active Profiling (ITAP) program, April 2002.Google Scholar
- C. Warrender, S. Forrest, & B. Pearlmutter. Detecting Intrusions using System Calls. IEEE Symposium on Security and Privacy, pp. 133--145, 1999.Google ScholarCross Ref
Index Terms
- Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage
Recommendations
Intrusion Detection System by Using Hybrid Algorithm of Data Mining Technique
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer ApplicationsThe aim of a network-based intrusion detection system (NIDS) is to detect malicious activity that targets a network and its resources. Abnormal activities or behaviors on the network systems could be identified by security systems. But, conventional ...
Using artificial anomalies to detect unknown and known network intrusions
Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks
In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Comments