ABSTRACT
Intrusion detection has emerged as an important approach to network security. A new method for anomaly intrusion detection is proposed based on linear prediction and Markov chain model. Linear prediction is employed to extract features from system calls sequences of the privileged processes, and the Markov chain model is founded based on those features. The observed behavior of the system is analyzed to infer the probability that the Markov chain model of the norm profile supports the observed behavior. A low probability of support indicates an anomalous behavior that may result from intrusive activities. Markov information source entropy (MISE) and condition entropy (CE) are used to select parameters. The merits of the model are simple and exact to predict. The experiments show this method is effective and efficient, and can be used in practice to monitor the computer system in real time.
- K. Jain, and R. Sekar. User-level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. 1999, http://citeseer.nj.nec.com/-jain00userlevel.html]]Google Scholar
- M. Biswanath, T. Heberlein, and K. Levitt. Network Intrusion Detection. IEEE Network, 8, May, 1994, 26--41.]]Google Scholar
- Warrender. C, Forrest. S and Pearlmutter. B. Detecting Intrusion Using System Calls: Alternative Data Models. IEEE Symposium on Security and Privacy, May 1999.]]Google Scholar
- W. Lee, S. J. Stolfo, and P. K. Chan. Learning patterns from UNIX process execution traces for intrusion detection. In AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, AAAI Press, July 1997, 50--56.]]Google Scholar
- N Ye. A Markov chain model of temporal behavior for anomaly detection. The 2000 IEEE Systems, Man, and Cybemetics Information Assurance and Security Workshop, West Point, NY, 2000.]]Google Scholar
- Jha, Somesh, Tan, Kymie M. C. and Maxion, Roy A. Markov Chains, Classifiers and Intrusion Detection. 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, June, 2001, 206--219.]] Google ScholarDigital Library
- QingBo Yin, LiRan Shen, RuBo Zhang, XueYao Li, HuiQiang Wang. Intrusion Detection based on Hidden Markov Model. Proceedings of the second International Conference on Machine Learning and Cybernetics, Xi'an, November 3-5, 2003.]]Google ScholarCross Ref
- Anderson, J. P. Computer Security Threat Monitoring and Surveillance. J. P. Anderson Co., Fort Washington, Pennsylvania, Report Number 79F296400, April 15, 1980.]]Google Scholar
- Denning, D. E. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, vol. 13, 1987, 222--232.]] Google ScholarDigital Library
- Helman, P. and Liepins, G. E. Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transactions on Software Engineering, vol. 19, 1993, 886--901.]] Google ScholarDigital Library
- Javitz, H. S. and Valdes, A. The SRI IDES statistical anomaly detector. Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, 1991.]]Google ScholarCross Ref
- Vaccaro, H. S. and Liepins, G. E. Detection of Anomalous Computer Session Activity. Proceedings of the IEEE Symposium on Research in Security and Privacy, 1989.]]Google ScholarCross Ref
- Lankewicz, L. and Benard, M. Real-time Anomaly detection Using a Nonparametric Pattern Recognition Approach. Proceedings of the of 7th Computer Security Applications conf., San Antonio, TX, 1991.]]Google ScholarCross Ref
- Anderson, D., Lunt, T. F., Javitz, H., Tamura, A., and Valdes, A. Detecting Unusual Program Behavior Using the Statistical Components of NIDES. SRI International, Menlo Park, CA, Tech Report SRI-CSL-95-06, May 1995.]]Google Scholar
- Endler, D. Intrusion detection Applying machine learning to Solaris audit data. Proceedings of the Computer Security Applications Computer Security Applications Conference, 1998.]] Google ScholarDigital Library
- Jou, Y. F., Gong, F., Sargor, C., Wu, S. F., Chang, H. C., and Wang, F. Design and Implementation of a Scalable Intrusion Detection System for the Protection of Network Infrastructure. DARPA Information Survivability Conference and Exposition, Hilton Head Island, SC, 2000.]]Google Scholar
- Neumann, P. G. and Porras, P. A. Experience with EMERALD to Date. 1st SENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, 1999.]] Google ScholarDigital Library
- Teng, H. S., Chen, K., and Lu, S. C. Adaptive Real time Anomaly Detection Using Inductively Generated Sequential Patterns. Proceedings of the IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA, 1990.]]Google ScholarCross Ref
- Habra, N., Charlier, B. L., Mounji, A., and Mathieu, I. ASAX: Software Architecture and Rule-based Language for Universal Audit Trail Analysis. Proceedings of the European Symposium on Research in Computer Security, Brighton, England, 1992.]] Google ScholarDigital Library
- Helmer, G., Wong, J., Vasant Honavar, A., and Mille, L. Intelligent Agents for Intrusion Detection and Countermeasures. IEEE Information Technology Conference, Syracuse, NY, 1998.]]Google Scholar
- Guy Helmer, Johnny Wong, Vasant Honavar, and Les Miller. Automated Discovery of Concise Predictive Rules fo Intrusion Detection. Journal of Systems and Software, Volume 60 Number 2, 2002, 165--175.]] Google ScholarDigital Library
- Lee, S. C. and Heinbuch, D. V. Training a Neural network Based Intrusion Detector to Recognize Novel Attacks. IEEE Workshop Information Assurance and Security, West Point, NY, 2000.]]Google Scholar
- S. Mukkamala, G. Janowski, A. H. Sung. Intrusion Detection Using Neural Networks and Support Vector Machines. Proceedings of IEEE IJCNN, 2002, 1702--1707.]]Google Scholar
- Rhodes, B. C., Mahaffey, J. A., and Cannady, J. D. Multiple Self-Organizing Maps for Intrusion Detection. Proceedings of the 23rd National Information Systems Security Conference, Baltimore, MD, 2000.]]Google Scholar
- Lin, T. Y. Anomaly Detection - A Soft Computing Approach. New Security Paradigms Workshop, Little Compton, Rhode Island, 1994.]] Google ScholarDigital Library
- Lee, W., Nimbalkar, R. A., Yee, K. K., Patil, S. B., Desai, P. H., Tran, T. T., and Stolfo, S. J. A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions. In Recent Advances in Intrusion Detection (RAID 2000), Third International Workshop, Toulouse, France, October 2--4, 2000, vol Vol. 1907, H. Debar, L. Me, and S. F. Wu, Eds. Berlin: Springer-Verlag, 2000, 49--65.]] Google ScholarDigital Library
- Lee, W. and Stolfo, S. J. A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security, vol. 3, November, 2000.]] Google ScholarDigital Library
- QingBo Yin, LiRan Shen, RuBo Zhang, XueYao Li. A new Intrusion Detection Method Based on Behavior Model. Proceedings of the 5th World Congress on Intelligent Control and Automatic, 2004, 3115--3118.]] Google ScholarDigital Library
- Alfonos Valdes. Detecting novel scans through pattern anomaly detection. Proceedings DISEX '03, 2003.]]Google Scholar
- Henry H. Feng, Jonathon T. Giffin, Yong Huang, Somesh Jha, Wenke Lee, and Barton P. Miller. Formalizing Sensitivity in Static Analysis for Intrusion Detection. In Proceedings of The 2004 IEEE Symposium on Security and Privacy, Oakland, CA, May 2004.]]Google ScholarCross Ref
- C. Kruegel, D. Mutz, F. Valeur, G. Vigna. On the Detection of Anomalous System Call Arguments. 8th European Symposium on Research in Computer Security (ESORICS), 2003.]]Google Scholar
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. A Sense of Self for Unix Processes. Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, 1996.]] Google ScholarDigital Library
- Forrest, S., Hofmeyr, S. A., and Somayaji, A. Computer Immunology. Communications of the ACM, vol. 40, pp. 88--96, 1997.]] Google ScholarDigital Library
- F. Gonzalez and D. Dasgupta. Neuro-Immune and Self-Organizing Map Approaches to Anomaly Detection: A comparison. In the proceedings of the First International Conference on Artificial Immune Systems, UK, September 9-11, 2002.]]Google Scholar
- Thottan, M. and Ji, C. Proactive Anomaly Detection Using Distributed Intelligent Agents. IEEE Network, vol. 12, 1998, 21--27.]] Google ScholarDigital Library
- Lee W, Dong X. Information-Theoretic measures for anomaly detection. Proceedings of the 2001 IEEE Symposium on Security and Privacy. Oakland, CA: IEEE Computer Society Press, 2001, 130--143.]] Google ScholarDigital Library
- Lane, T. and Brodley, C. E. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security, vol. 2, 1999, 295--331.]] Google ScholarDigital Library
- Kosoresow, A. P. and Hofmeyr, S. A. Intrusion Detection via System Call Traces. IEEE Software, vol. 14, 1997, 24--42.]] Google ScholarDigital Library
- Brockwell. P. J and Davis. R. A. Time series: Theory and Methods. Second edition, Springer-Verlag, 1991.]] Google ScholarDigital Library
Index Terms
- An new intrusion detection method based on linear prediction
Recommendations
A New Intrusion Detection Method based on Process Profiling
SAINT '02: Proceedings of the 2002 Symposium on Applications and the InternetThere have been two well-known models for intrusion detection. They are called Anomaly Intrusion Detection (AID) model and Misuse Intrusion Detection (MID) model. The former model analyzes user behavior and the statistics of a process in normal ...
Intrusion Detection Method Based on Fuzzy Hidden Markov Model
FSKD '09: Proceedings of the 2009 Sixth International Conference on Fuzzy Systems and Knowledge Discovery - Volume 03Because of the excellent performance of the HMM (Hidden Markov Model), it has been widely used in pattern recognition. Due to the high false alarm rate in the classical intrusion detection system(IDS) based on HMM, a fuzzy approach for the HMM, called ...
A New Intrusion Detection Technology by Markov Chain
AICI '09: Proceedings of the 2009 International Conference on Artificial Intelligence and Computational Intelligence - Volume 01In order to reduce wrong detection intrusions, missed intrusions and poor real-time performance. An intrusion detection method based on markov chain was presented. For every network packet, three major groups of features were extracted, and feature ...
Comments