Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data

Computers and Security

Volumn 25, Issue 7, 2006, Pages 539-550

  Wang, Wei ^a   Guan, Xiaohong ^a,b   Zhang, Xiangliang ^c   Yang, Liwei ^a  

^a XI'AN JIAOTONG UNIVERSITY   (China)

^b TSINGHUA UNIVERSITY   (China)

^c XI'AN JIAOTONG UNIVERSITY   (China)

Author keywords

Anomaly detection; Computer audit data; Computer security; Hidden Markov models; Intrusion detection; Profiling; Self organizing maps

Indexed keywords

COMPUTER AIDED ANALYSIS; COMPUTER CRIME; DATA REDUCTION; DATA STRUCTURES; MARKOV PROCESSES; SELF ORGANIZING MAPS;

ANOMALY DETECTION; INTRUSION DETECTION;

SECURITY SYSTEMS;

EID: 33750333036     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2006.05.005     Document Type: Article

References (30)

1. Anderson D., Frivold T., and Valdes A. Next-generation intrusion detection expert system (NIDES): a summary. Technical Report SRI-CSL-95-07 (1995), Computer Science Laboratory, SRI International, Menlo Park, California
2. Cai Z., Guan X., Shao P., Peng Q., and Sun G. A rough set theory based method for anomaly intrusion detection in computer networks. Expert Systems 18 5 (2003) 251-259
3. CERT Advisory CA-2001-07 file globbing vulnerabilities in various FTP servers. ; 2001 [retrieved May 2001].
4. Cho S.B., and Park H.J. Efficient anomaly detection by modeling privilege flows using hidden Markov model. Computers & Security 22 1 (2003) 45-55
5. Denning D.E. An intrusion-detection model. IEEE Transactions on Software Engineering 13 2 (1987) 222-232
6. Duda R.O., Hart P.E., and Stork D.G. Pattern classification. 2nd ed. (2004), China Machine Press, Beijing
7. Feng L., Guan X., Guo S., Gao Y., and Liu P. Predicting the intrusion intentions by observing system call sequences. Computers & Security 23 5 (2004) 241-252
8. Forrest S, Hofmeyr SA, Somayaji A, Longstaff TA. A sense of self for Unix processes. In: Proceedings of the 1996 IEEE symposium on research in security and privacy. Los Alamos, CA; 1996. p. 120-8.
9. Hu W, Liao Y, Vemuri VR. Robust support vector machines for anomaly detection in computer security. In: Proceeding of the 2003 international conference on machine learning and applications (ICMLA'03). Los Angeles, California; 2003.
10. Ju W.H., and Vardi Y. A hybrid high-order Markov chain model for computer intrusion detection. Journal of Computational and Graphical Statistics 10 2 (2001) 277-295
11. Kohonen T. The self-organizing map. Proceedings of the IEEE 78 (1990) 1464-1480
12. Kohonen T. Self-organizing maps. 3rd ed. (2001), Springer, Berlin
13. Lee W, Xiang D. Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE symposium on security and privacy. Oakland, CA, USA; 2001. p. 130-43.
14. Lee W, Stolfo S, Chan P. Learning patterns from Unix process execution traces for intrusion detection. AAAI Workshop: AI approaches to fraud detection and risk management; 1997.
15. Liao Y.H., and Vemuri V.R. Use of k-nearest neighbor classifier for intrusion detection. Computer & Security 21 5 (2002) 439-448
16. Lunt T., Tamaru A., Gilham F., Jagannathan R., Jalali C., Neumann P.G., et al. A real-time intrusion detection expert system (IDES)-final technical report. Technical report (1992), Computer Science Laboratory, SRI International, Menlo Park, California
17. Rabiner L.R. A tutorial on hidden Markov models and selected applications in speech recognition. Proceeding of the IEEE 77 2 (1989)
18. Rabiner L.R., and Juang B.H. An introduction to hidden Markov models. IEEE ASSP Magazine (1986)
19. Ramadas M, Ostermann S, Tjaden B. Detecting anomalous network traffic with self-organizing maps. In: Proceedings of sixth international symposium on recent advances in intrusion detection (RAID 2003). Pittsburgh, Pennsylvania; 2003. p. 36-54.
20. Rawat S., Gulati V.P., and Pujari A.K. On the use of singular value decomposition for a fast intrusion detection system. Electronic Notes in Theoretical Computer Science 142 (2006) 215-228
21. Smaha SE. Haystack: an intrusion detection system. In: Proceedings of the IEEE fourth aerospace computer security applications conference; 1988.
22. Wang W, Guan X, Zhang X. Modeling program behaviors by hidden Markov models for intrusion detection. In: Proceedings of the third international conference on machine learning and cybernetics (ICMLC 2004); 2004a. p. 2830-5.
23. Wang W, Guan X, Zhang X. Profiling program and user behaviors for anomaly intrusion detection based on non-negative matrix factorization. In: Proceedings of 43rd IEEE conference on control and decision, Atlantis, Paradise Island, Bahamas; 2004b. p. 99-104.
24. Wang W, Guan X, Zhang X. A novel intrusion detection method based on principal component analysis in computer security. In: Advances in neural networks-ISNN2004. International IEEE symposium on neural networks, Dalian, China. Lecture notes in computer science (LNCS), No. 3174; 2004c. p. 657-62.
25. Warrender C, Forrest S, Pearlmutter B. Detecting Intrusions using system calls: alternative data models. In: Proceedings of 1999 IEEE symposium on security and privacy; 1999. p.133-45.
26. Wespi A, Dacier M, Debar H. Intrusion detection using variable-length audit trail patterns. In: Proceedings of the third international workshop on the recent advances in intrusion detection (RAID'2000), No. 1907 in LNCS; 2000.
27. Yan Q., Xie W., Yan B., and Song G. An anomaly intrusion detection method based on HMM. Electronics Letters 38 13 (2002) 663-664
28. Ye N., Zhang Y., and Borror C.M. Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability 53 1 (2004) 116-121
29. Yeung D.Y., and Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36 1 (2003) 229-243
30. Zhang Z., and Shen H. Application of online-training SVMs for real-time intrusion detection with different considerations. Computer Communications 28 (2005) 1428-1442