Computer intrusion detection through EWMA for autocorrelated and uncorrelated data

IEEE Transactions on Reliability

Volumn 52, Issue 1, 2003, Pages 75-82

  Ye, Nong ^a   Vilbert, Sean ^b   Chen, Qiang ^b  

^a ARIZONA STATE UNIVERSITY   (United States)

^b AZ 85281   (United States)

Author keywords

Anomaly detection; Computer audit data; Exponentially weighted moving average (EWMA); Information assurance; Intrusion detection

Indexed keywords

COMPUTER SYSTEMS; QUALITY OF SERVICE; SECURITY OF DATA;

COMPUTER INTRUSION DETECTION;

INFORMATION SCIENCE;

EID: 0037333205     PISSN: 00189529     EISSN: None     Source Type: Journal    
DOI: 10.1109/TR.2002.805796     Document Type: Article

References (45)

1. W. Stallings, Network and Inter-Network Security Principles and Practice: Prentice-Hall, 1995.
2. C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World: Prentice-Hall, 1995.
3. N. Ye, J. Giordano, and J. Feldman, "Detecting information warfare attacks: Current state of the art from a process control viewpoint," Communications ACM, vol. 44, Aug. 2001.
4. T. Escamilla, Intrusion Detection: Network Security Beyond the Fire-wall: John Wiley and Sons, 1998.
5. W. Everett, S. Keene, and A. Nikora, "Applying software reliability engineering in the 1990s," IEEE Trans. Rel., vol. 47, pp. 372-378, Sept. 1998.
6. A. Thakur and R. K. Iyer, "Analyze-NOW - An environment for collection and analysis of failures in a network of workstations," IEEE Trans. Rel., vol. 45, no. 4, pp. 561-570, Dec. 1996.
7. C. S. Hood and C. Ji, "Proactive network-fault detection," IEEE Trans. Rel., vol. 46, no. 3, pp. 333-341, Sept. 1997.
8. S. Morasca, "Assessment of fault-detection processes: An approach based on reliability techniques," IEEE Trans. Rel., vol. 45, no. 4, pp. 632-637, Dec. 1996.
9. C. M. Krishna, "Optimal configuration of redundant real-time systems in the face of correlated failure," IEEE Trans. Rel., vol. 44, no. 4, pp. 587-594, Dec. 1995.
10. S.-T. Cheng, "Topological optimization of a reliable communication work," IEEE Trans. Rel., vol. 47, no. 3, pp. 225-233, Sept. 1998.
11. S. N. Chau, L. Alkalai, A. T. Tai, and J. B. Burt, "Design of a fault-tolerant COTS-based bus architecture," IEEE Trans. Rel., vol. 48, no. 4, pp. 351-359, Dec. 1999.
12. H.-M. Sun and S.-P. Shieh, "Optimal information-dispersal for increasing the reliability of a distributed service," IEEE Trans. Rel., vol. 46, no. 4, pp. 462-472, Dec. 1997.
13. H. Debar, M. Dacier, and A. Wespi, "Toward a taxonomy of intrusion-detection systems," Computer Networks, vol. 31, pp. 805-822, 1999.
14. R. Lippmann et al., "Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation," in Proc. DARPA Inform. Survivability Conf. Exposition: IEEE Computer Society, 2000, pp. 12-25.
15. D. Anderson, T. Frivold, and A. Valdes, "Next-generation Intrusion Detection Expert System (NIDES): A Summary," SRI International, Tech. Rep. SRI-CSL-97-07, 1995.
16. G. Vigna, S. Eckmann, and R. Kemmerer, "The STAT tool suite," in Proc. DARPA Inform. Survivability Conf. and Exposition: IEEE Computer Society, 2000, pp. 46-55.
17. S. Kumar, "Classification and Detection of Computer Intrusions," Ph.D. dissertation, Department of Computer Science, Purdue University, Indiana, USA, 1995.
18. W. Lee, S. J. Stolfo, and K. Mok. Mining in a data-flow environment: Experience in network intrusion detection, presented at Proc. 5th ACM SIGKDD Int. Conf. Knowledge Discovery and Data Mining. [Online] Available: http://www.cs.columbia.edu/sal/JAM/PROJECT/.
19. N. Ye and X. Li, "A scalable clustering technique for intrusion signature recognition," in Proc. 2nd IEEE SMC Inform. Assurance Workshop, 2001.
20. N. Ye, X. Li, and S. M. Emran, "Decision trees for signature recognition and state classification," in Proc. 1st IEEE SMC Inform. Assurance and Security Workshop, 2000.
21. N. Ye et al., "Probabilistic techniques for intrusion detection based on computer audit data," IEEE Trans. Syst., Man, and Cybern., vol. 31, no. 4, 2001.
22. N. Ye, S. M. Emran, X. Li, and Q. Chen, "Statistical process control techniques for an intrusion detection system," in Proc. 2nd DARPA Inform. Survivability Conf. and Exposition, 2001.
23. S. M. Emran and N. Ye, "Robustness of Canberra metric in computer intrusion detection," in Proc. 2nd IEEE SMC Inform. Assurance Workshop, 2001.
24. N. Ye, Q. Chen, and S. M. Emran, "Computer intrusion detection based on statistical distributions of distance metrics," in Proc. Southern Conf. Computing, 2000.
25. N. Ye, "A Markov chain model of temporal behavior for anomaly detection," in Proc. 1st IEEE SMC Inform. Assurance and Security Workshop, 2000.
26. N. Ye, Q. Zhong, and M. Xu, "Probabilistic networks with undirected links for anomaly detection," in Proc. 1st IEEE SMC Inform. Assurance and Security Workshop, 2000.
27. N. Ye, Q. Chen, and S. M. Emran, "Hotelling's T2 multivariate profiling for anomaly detection," in Proc. 1st IEEE SMC Inform. Assurance and Security Workshop, 2000.
28. N. Ye and Q. Chen, "An anomaly detection technique based on a chisquare statistic for detecting intrusions into information systems," Qual. Rel. Eng. Int., vol. 17, no. 2, pp. 105-112, Mar./Apr. 2001.
29. D. E. Denning, "An intrusion-detection model," IEEE Trans. Software Eng., vol. 13, no. 2, pp. 222-232, 1987.
30. A. K. Ghosh, A. Schwatzbard, and M. Shatz. Learning program behavior profiles for intrusion detection, presented at Proc. 1st USENIX Workshop on Intrusion Detection and Network Monitoring. [Online]. Available: http://www.rstcorp.com/anup/.
31. S. Forrest, S. A. Hofmeyr, and A. Somayaji, "Computer immunology," Communications ACM, vol. 40, no. 10, pp. 88-96, Oct. 1997.
32. C. Ko, G. Fink, and K. Levitt, "Execution monitoring of security-critical programs in distributed systems: A specification-based approach," in Proc. 1997 IEEE Symp. Security and Privacy: IEEE Computer Society, 1997, pp. 134-144.
33. H. S. Javitz and A. Valdes, "The SRI statistical anomaly detector," in Proc. 1991 IEEE Symp. Res. Security and Privacy: IEEE Computer Society, 1991.
34. H. S. Javitz and A. Valdes, "The NIDES statistical component description of justification," SRI International, Tech. Rep. A010, 1994.
35. Y. Jou et al., "Design and implementation of a scalable intrusion detection system for the protection of network infrastructure," in Proc. DARPA Inform. Survivability Conf. Exposition: IEEE Computer Society, 2000, pp. 69-83.
36. T. P. Ryan, Statistical Methods for Quality Improvement: John Wiley and Sons, 1989.
37. D. C. Montgomery, Introduction to Statistical Quality Control: John Wiley and Sons, 1997.
38. J. S. Hunter, "The exponentially weighted moving average," J. Qual. Technol., vol. 18, pp. 203-209, 1986.
39. S. W. Roberts, "Control chart tests based on geometric moving averages," Technometrics, vol. 1, pp. 239-251, 1959.
40. D. C. Montgomery and C. M. Mastrangelo, "Some statistical process control methods for autocorrelated data," J. Qual. Technol., vol. 23, no. 3, pp. 179-193, July 1991.
41. C. M. Borror, D. C. Montgomery, and C. G. Runger, "Robustness of the EWMA control charts to nonnormality," J. Qual. Technol., vol. 31, no. 3, pp. 309-316, 1999.
42. S. H. Steiner, "EWMA control charts with time-varying control limits and fast initial response," J. Qual. Technol., vol. 31, no. 1, pp. 75-86, 1999.
43. J. F. MacGregor and T. J. Harris, "The exponentially weighted moving variance," J. Qual. Technol., vol. 25, no. 1, pp. 106-118, 1993.
44. S. S. Prabhu and G. C. Runger, "Designing a multivariate EWMA control chart," J. Qual. Technol., vol. 29, no. 1, pp. 8-15, Jan. 1997.
45. D. C. Montgomery, L. A. Johnson, and J. S. Gardiner, Forecasting and Time Series Analysis: McGraw-Hill, 1990.