Robustness of the Markov-chain model for cyber-attack detection

IEEE Transactions on Reliability

Volumn 53, Issue 1, 2004, Pages 116-123

  Ye, Nong ^a,b   Zhang, Yebin ^b   Borror, Connie M ^b  

^a Info and Systems Assurance Lab   (United States)

^b Arizona State University   (United States)

Author keywords

Computer audit data; Computer security; Intrusion detection; Markov chain

Indexed keywords

ALGORITHMS; COMPUTER WORKSTATIONS; INFERENCE ENGINES; LEARNING ALGORITHMS; PATTERN RECOGNITION; SECURITY OF DATA; UNIX;

COMPUTER AUDIT DATA; CYBER-ATTACK DETECTION; INTRUSION DETECTION; MARKOV-CHAIN MODEL;

MARKOV PROCESSES;

EID: 1942436335     PISSN: 00189529     EISSN: None     Source Type: Journal    
DOI: 10.1109/TR.2004.823851     Document Type: Article

References (56)

1. W. Stallings, Network and Inter-network Security Principles and Practice: Prentice Hall, 1995.
2. C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World: Prentice Hall, 1995.
3. T. Escamilla, Intrusion Detection: Network Security Beyond the Firewall: John Wiley & Sons, 1998.
4. B. Simons, "Building big brother," Commun. ACM, vol. 43, no. 1, pp. 31-32, Jan. 2000.
5. P. G. Neumann, "Risks of insiders," Commun. ACM, vol. 42, no. 12, p. 160, Dec. 1999.
6. M. Godwin, "Net to worry," Commun. ACM, vol. 42, no. 12, pp. 15-17, Dec. 1999.
7. S. Jajodia, P. Ammann, and C. D. McCollum, "Surviving information warfare attacks," Computer, vol. 32, no. 3, pp. 57-63, Apr. 1999.
8. P. Mann, "Pentagon confronts mounting cyber risks," Aviation Week and Space Technology, vol. 150, no. 12, pp. 82-83, Mar. 1999.
9. B. H. Barnes, "Computer security research: A British perspective," IEEE Software, vol. 15, no. 4, pp. 30-33, Sept./Oct., 1998.
10. A. Boulanger, "Catapults and grappling hooks: The tools and techniques of information warfare," IBM Systems J, vol. 37, no. 1, pp. 106-114, 1998.
11. H. Debar, M. Dacier, and A. Wespi, "Toward a taxonomy of intrusion-detection systems," Computer Networks, vol. 31, pp. 805-822, 1999.
12. R. Lippmann et al., "Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation," in Proc. DARPA Information Survivability Conf. & Exposition, Jan. 2000, pp. 12-26.
13. D. Schnackenburg and K. Djahandari, "Infrastructure for intrusion detection and response," in Proc. DARPA Information Survivability Conf. & Exposition, Jan. 2000, pp. 3-11.
14. T. Bass, "Intrusion detection systems and multi-sensor data fusion," Commun. ACM, vol. 43, no. 3, pp. 99-105, Apr. 2000.
15. M. Stillerman, C. Marceau, and M. Stillman, "Intrusion detection for distributed applications," Commun. ACM, vol. 42, no. 6, pp. 62-69, July 1999.
16. U. Lindqvist and P. A. Porras, "Detecting computer and network misuse through the production-based expert system toolset (P-BEST)," in Proc. 1999 IEEE Symp. Security and Privacy, May 1999.
17. P. A. Porras and P. G. Neumann, "EMERALD: Event monitoring enabling responses to anomalous live disturbances," in Proc. NISSC, Oct. 1997.
18. P. G. Neumann and P. A. Porras, "Experience with EMERALD to date," in Proc. USENIX Workshop on Intrusion Detection and Network Monitoring, Apr. 1999, pp. 73-80.
19. W. Lee and S. J. Stolfo, "Data mining approaches for intrusion detection," in Proc. 1998 USENIX Security Symp.
20. W. Lee, S. J. Stolfo, and K. W. Mok, "A data mining framework for building intrusion detection models," in Proc. 1999 IEEE Symp. Security & Privacy.
21. ____, "Mining audit data to build intrusion detection models," in Proc. 1998 Intl. Conf. Knowledge Discovery and Data Mining.
22. ____, "Mining in a data-flow environment: Experience in network intrusion detection," in Proc. 1999 ACM SIGKDD Int. Conf. Knowledge Discovery and Data Mining.
23. G. Vigna and R. Kemmerer. NetStat: A network-based intrusion detection approach. presented at Proc. 1998 Ann. Computer Security Applications Conf. [Online]. Available: http://www.cs.ucsb.edu/~kemm/netstat.html/
24. G. Vigna, S. T. Eckmann, and R. A. Kemmerer, "The STAT tool suit," in Proc. 2000 DARPA Information Survivability Conf. & Exposition, pp. 46-55.
25. S. Kumar, "Classification and Detection of Computer Intrusions," Ph.D. Dissertation, Dept. Computer Science, Purdue University, 1995.
26. N. Ye, X. Li, and S. M. Emran, "Decision trees for signature recognition and state classification," in Proc. 2000 IEEE SMC Information Assurance and Security Workshop.
27. C. Ko, G. Fink, and K. Levitt, "Execution monitoring of security-critical programs in distributed systems: A specification-based approach," in Proc. 1997 IEEE Symp. Security and Privacy, pp. 134-144.
28. S. Staniford-Chen et al., "GrIDS-A graph-based intrusion detection system for large networks," in Proc. 1996 Nat. Information Systems Security Conf.
29. T. Bowen et al., "Building survivable systems: An integrated approach based on intrusion detection and damage containment," in Proc. 2000 DARPA Information Survivability Conf. Exposition, vol. II, pp. 84-99.
30. D. E. Denning, "An intrusion-detection model," IEEE Trans. Software Eng., vol. SE-13, no. 2, pp. 222-232, Feb. 1987.
31. D. Anderson, T. Frivold, and A. Valdes, "Next-Generation Intrusion Detection Expert System (NIDES): A Summary,", Menlo Park, CA, Technical Report SRI-CSL-97-07, May 1995. SRI Int'l.
32. H. S. Javitz and A. Valdes, "The SRI statistical anomaly detector," in Proc. 1991 IEEE Symp. Research in Security and Privacy.
33. ____, "The NIDES Statistical Component Description of Justification,", Menlo Park, CA, Technical Report A010, Mar. 1994. SRI Int'l.
34. Y. Jou et al., "Design and implementation of a scalable intrusion detection system for the protection of network infrastructure," in Proc. 2000 DARPA Information Survivability Conf. Exposition, pp. 69-83.
35. N. Ye, Q. Chen, and S. M. Emran, "Chi-square statistical profiling for anomaly detection," in Proc. 2000 IEEE SMC Information Assurance and Security Workshop.
36. ____, "Hotelling's T2 multivariate profiling for anomaly detection," in Proc. 2000 IEEE SMC Information Assurance and Security Workshop.
37. H. Debar, M. Becker, and D. Siboni, "A neural network component for an intrusion detection system," in Proc. 1992 IEEE Computer Society Symp. Research in Security and Privacy, pp. 240-250.
38. A. K. Ghosh, A. Schwatzbard, and M. Shatz. Learning program behavior profiles for intrusion detection. presented at Proc. 1999 USENIX Workshop on Intrusion Detection and Network Monitoring. [Online]. Available: http://www.rstcorp.com/~anup/
39. S. Forrest, S. A. Hofmeyr, and A. Somayaji, "Computer immunology," Commun. ACM, vol. 40, no. 9, pp. 88-96, Oct., 1997.
40. H. Debar, M. Dacier, M. Nassehi, and A. Wespi, "Fixed vs. variable-length patterns for detecting suspicious process behavior," in 1998 Proc. European Symp. Research in Computer Security, pp. 1-15.
41. C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting intrusions using system calls: Alternative data models," in Proc. 1999 IEEE Symp. Security and Privacy, pp. 133-145.
42. W. DuMouchel. Computer Intrusion Detection Based on Bayes factors for Comparing Command Transition Probabilities. National Institute of Statistical Sciences. [Online]. Available: http://www.niss.org/downloadabletechreports.html
43. W.-H. Ju and Y. Vardi. A Hybrid High-Order Markov-Chain Model for Computer Intrusion Detection. National Institute of Statistical Sciences. [Online]. Available: http://www.niss.org/downloadabletechreports.html
44. M. Schonlau et al. Computer Intrusion: Detecting Masquerades. National Inst. of Statistical Sciences. [Online]. Available: http://www.niss.org/downloadabletechreports.html
45. S. L. Scott, Detecting Network Intrusion Using a Markov Modulated Nonhomogeneous Poisson Process.
46. N. Ye, Q. Zhong, and M. Xu, "Probabilistic networks with undirected links for anomaly detection," in Proc. 2000 IEEE SMC Information Assurance and Security Workshop.
47. W. DuMouchel and M. Schonlau, "A comparison of test statistics for computer intrusion detection based on principal components regression of transition probabilities," in Proc. #30 Symp. Interface: Computing Science and Statistics.
48. N. Ye, Cyber attack detection through a Markov-chain model of computer event transitions, in IEEE Trans. Systems, Man and Cybernetics. submitted.
49. W. L. Winston, Operations Research: Applications and Algorithms: Duxbury Press, 1994.
50. P. Buttorp, Stochastic Modeling of Scientific Data: Chapman & Hall, 1995.
51. A. Gelman, J. B. Carlin, H. S. Stern, and D. B. Rubin, Bayesian Data Analysis: Chapman & Hall, 1995.
52. I. L. MacDonald and W. Zucchini, Hidden Markov and Other Models for Discrete Valued Time Series: Chapman & Hall, 1997.
53. T. M. Mitchell, Machine Learning: McGraw-Hill, 1997.
54. F. V. Jensen, An Introduction to Bayesian Networks: UCL Press, 1996.
55. N. Ye and Q. Chen, "EWMA techniques for detecting computer intrusions through anomalous changes in event intensity," IEEE Trans. Rel., vol. 52, no. 1, Mar. 2004.
56. B. H. Kantowitz and R. D. Sorkin, Human Factors: Understanding People-System Relationships: John Wiley & Sons, 1983.