Article

Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage

Authors:
Jude Shavlik

University of Wisconsin, Madison, WI

University of Wisconsin, Madison, WI
View Profile

,
Mark Shavlik

Shavlik Technologies, Roseville, MN

Shavlik Technologies, Roseville, MN
View Profile

KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data miningAugust 2004Pages 276–285https://doi.org/10.1145/1014052.1014084

Published:22 August 2004Publication History

KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining

Pages 276–285

ABSTRACT

We present and empirically analyze a machine-learning approach for detecting intrusions on individual computers. Our Winnow-based algorithm continually monitors user and system behavior, recording such properties as the number of bytes transferred over the last 10 seconds, the programs that currently are running, and the load on the CPU. In all, hundreds of measurements are made and analyzed each second. Using this data, our algorithm creates a model that represents each particular computer's range of normal behavior. Parameters that determine when an alarm should be raised, due to abnormal activity, are set on a per-computer basis, based on an analysis of training data. A major issue in intrusion-detection systems is the need for very low false-alarm rates. Our empirical results suggest that it is possible to obtain high intrusion-detection rates (95%) and low false-alarm rates (less than one per day per computer), without "stealing" too many CPU cycles (less than 1%). We also report which system measurements are the most valuable in terms of detecting intrusions. A surprisingly large number of different measurements prove significantly useful.

References

R. Agarwal & M. Joshi, PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection) Proc. First SIAM Intl. Conf. on Data Mining, 2001.Google Scholar
J. Anderson, Computer Security Threat Monitoring and Surveillance, J. P. Anderson Company Technical Report, Fort Washington, PA, 1980.Google Scholar
DARPA, Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems, DARPA Workshop Report, 1999.Google Scholar
A. Ghosh, A. Schwartzbard, & M. Schatz, Learning Program Behavior Profiles for Intrusion Detection, USENIX Workshop on Intrusion Detection & Network Monitoring, April 1999. Google ScholarDigital Library
T. Lane & C. Brodley, Approaches to Online Learning and Concept Drift for User Identification in Computer Security, Proc. KDD, pp 259--263, 1998.Google Scholar
A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava & V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, Proc. SIAM Conf. Data Mining, 2003.Google Scholar
W. Lee, S.J. Stolfo, and K. Mok, A Data Mining Framework for Building Intrusion Detection Models, Proc. IEEE Symp. on Security and Privacy, 1999.Google Scholar
N. Littlestone, Learning Quickly When Irrelevant Attributes Abound. Machine Learning 2, pp. 285--318. Google ScholarDigital Library
T. Lunt, A Survey of Intrusion Detection Techniques, Computers and Security 12:4, pp. 405--418, 1993. Google ScholarDigital Library
T. Mitchell, Machine Learning, McGraw-Hill.Google Scholar
P. Neumann, The Challenges of Insider Misuse, SRI Computer Science Lab Technical Report, 1999Google Scholar
J. Shavlik & M. Shavlik, Final Project Report for DARPA's Insider Threat Active Profiling (ITAP) program, April 2002.Google Scholar
C. Warrender, S. Forrest, & B. Pearlmutter. Detecting Intrusions using System Calls. IEEE Symposium on Security and Privacy, pp. 133--145, 1999.Google ScholarCross Ref

Index Terms

Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage
1. Computing methodologies
  1. Machine learning
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Intrusion Detection System by Using Hybrid Algorithm of Data Mining Technique
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer Applications

The aim of a network-based intrusion detection system (NIDS) is to detect malicious activity that targets a network and its resources. Abnormal activities or behaviors on the network systems could be identified by security systems. But, conventional ...
Read More
Using artificial anomalies to detect unknown and known network intrusions

Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both ...
Read More
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
August 2004
874 pages
ISBN:1581138881
DOI:10.1145/1014052
General Chairs:
Won Kim
Cyber Database Solutions
,
Ronny Kohavi
Amazon.com
,
Program Chairs:
Johannes Gehrke
Cornell University
,
William DuMouchel
AT&T Labs Research
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 August 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Windows 2000
Winnow algorithm
anomaly detection
feature selection
intrusion detection
machine learning
user modeling
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,133of8,635submissions,13%
Upcoming Conference
KDD '24

Sponsor:

sigkdd

sigkdd

The 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

August 25 - 29, 2024

Barcelona , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 35
  Total Citations
  View Citations
- 1,018
  Total Downloads
- Downloads (Last 12 months)6
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage

KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining

ABSTRACT

References

Cited By

Index Terms

Recommendations

Intrusion Detection System by Using Hybrid Algorithm of Data Mining Technique

Using artificial anomalies to detect unknown and known network intrusions

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks