Processing of massive audit data streams for real-time anomaly intrusion detection

Computer Communications

Volumn 31, Issue 1, 2008, Pages 58-72

  Wang, Wei ^a   Guan, Xiaohong ^a,b   Zhang, Xiangliang ^a  

^a XI'AN JIAOTONG UNIVERSITY   (China)

^b TSINGHUA UNIVERSITY   (China)

Author keywords

Data streams; Hidden Markov models; Intrusion detection; Network security; Principal Component Analysis

Indexed keywords

COMPUTATIONAL EFFICIENCY; DATA REDUCTION; FEATURE EXTRACTION; HIDDEN MARKOV MODELS; NETWORK SECURITY; PRINCIPAL COMPONENT ANALYSIS;

DATA SOURCES; DATA STREAMS; HIGH SPEED PROCESSING; INTRUSION DETECTION SYSTEMS (IDS);

INTRUSION DETECTION;

EID: 37049002837     PISSN: 01403664     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comcom.2007.10.010     Document Type: Article

References (55)

1. Denning D.E. "An intrusion-detection model". IEEE Transactions on Software Engineering 13 2 (1987) 222-232
2. S.E. Smaha, Haystack: An intrusion detection system, in: Proceedings of the IEEE Fourth Aerospace Computer Security Applications Conference, 1988.
3. T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. Neumann, H. Javitz, A. Valdes, T. Garvey, A real-time intrusion detection expert system (IDES) - final technical report, Technical report, Computer Science Laboratory, SRI International, Menlo Park, California, February 1992.
4. D. Anderson, T. Frivold, A. Valdes, Next-generation intrusion detection expert system (NIDES): a summary. Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International, Menlo Park, California, May 1995.
5. Schonlau M., and Theus M. Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters 76 (2000) 33-38
6. Schonlau M., Dumouchel W., Ju W.-H., Karr A.F., Theus M., and Vardi Y. Computer intrusion: detecting masquerades. Statistical Science 16 1 (2001) 58-74
7. Maxion R.A., and Townsend T.N. Masquerade detection using truncated command lines. Proceedings of the International Conference on Dependable Systems and Networks (DSN'02) (2002), IEEE Computer Society Press, Washington, D.C., Los Alamitos, California pp. 219-228
8. T. Lane, C.E. Brodley, Temporal sequence learning and data reduction for anomaly detection, in: Proceedings of Fifth ACM Conference on Computer and Communication Security, 1998.
9. M.Oka, Y. Oyama, H. Abe, K. Kato, Anomaly detection using layered networks based on eigen co-occurrence matrix, in: Proceedings of Seventh International Symposium on Recent Advances in Intrusion Detection (RAID'2004), Springer, LNCS-3224, 2004, pp. 223-237.
10. S. Forrest, S.A. Hofmeyr, A. Somayaji, T.A. Longstaff, A sense of self for Unix processes, in: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, Los Alamos, CA, 1996, pp. 120-128.
11. W. Lee, S. Stolfo, Data mining approaches for intrusion detection, in: Proceedings of the Seventh USENIX Security Symposium, Usenix Association, 1998, pp. 79-94.
12. C. Warrender, S. Forrest, B. Pearlmutter, Detecting intrusions using system calls: alternative data models, in: Proceedings of 1999 IEEE Symposium on Security and Privacy, 1999, pp. 133-145.
13. Yan Q., Xie W., Yan B., and Song G. An anomaly intrusion detection method based on HMM. Electronics Letters 38 13 (2002) 663-664
14. Yeung D.Y., and Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 36 1 (2003) 229-243
15. Cho S.B., and Park H.J. Efficient anomaly detection by modeling privilege flows using hidden Markov model. Computers and Security 22 1 (2003) 5-55
16. W. Wang, X. Guan, X. Zhang, Modeling program behaviors by hidden markov models for intrusion detection, in: Proceedings of the Third International Conference on Machine Learning and Cybernetics (ICMLC'2004), 2004, pp. 2830-2835.
17. A. Wespi, M. Dacier, H. Debar, Intrusion detection using variable-length audit trail patterns, in: Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID'2000), LNCS-1907, 2000.
18. Asaka M., Onabuta T., Inoue T., Okazawa S., and Goto S. A new intrusion detection method based on discriminant analysis. IEICE Transactions on Information and Systems E84D 5 (2001) 570-577
19. W. Lee, D. Xiang, Information-theoretic measures for anomaly detection, in: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.
20. Liao Y.H., and Vemuri V.R. Use of k-nearest neighbor classifier for intrusion detection. Computers and Security 21 5 (2002) 439-448
21. W. Hu, Y. Liao, V.R. Vemuri, Robust support vector machines for anomaly detection in computer security, in: Proceeding of the 2003 International Conference on Machine Learning and Applications (ICMLA'03), Los Angeles, California, 2003.
22. Cho S.B. Incorporating soft computing techniques into a probabilistic intrusion detection system. IEEE Transactions on Systems, Man, and Cybernetics - Part C 32 2 (2002) 154-160
23. Cai Z., Guan X., Shao P., Peng Q., and Sun G. A rough set theory based method for anomaly intrusion detection in computer networks. Expert Systems 18 5 (2003) 251-259
24. Feng L., Guan X., Guo S., Gao Y., and Liu P. Predicting the intrusion intentions by observing system call sequences. Computers and Security 23 5 (2004) 241-252
25. W. Wang, X. Guan, X. Zhang, Profiling program and user behaviors for anomaly intrusion detection based on non-negative matrix factorization, in: Proceedings of 43rd IEEE Conference on Control and Decision (CDC'2004), Atlantis, Paradise Island, Bahamas, 2004, pp. 99-104.
26. Ye N., Zhang Y., and Borror C.M. Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability 53 1 (2004) 116-121
27. Ju W.-H., and Vardi Y. A hybrid high-order Markov chain model for computer intrusion detection. Journal of Computational and Graphical Statistics 10 2 (2001) 277-295
28. Ye N., and Chen Q. Computer intrusion detection through EWMA for auto-correlated and uncorrelated data. IEEE Transactions on Reliability 52 1 (2003) 73-82
29. Ye N., Li X., Chen Q., Emran S.M., and Xu M. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Transactions on Systems, Man, and Cybernetics - Part A 31 4 (2001) 266-274
30. Ye N., and Chen Q. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International 17 2 (2001) 105-112
31. A.K. Ghosh, A. Schwartzbard, M. Schatz, Learning program behavior profiles for intrusion detection, in: Proceedings of the First USENIX Workshop on Intrusion Detection and Network Monitoring, 1999, pp. 51-62.
32. P.A. Porras, P.G. Neumann, EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, in: Proceedings of National Information Systems Security Conference, Baltimore, MD, 1997.
33. W. Lee, S. Stolfo, K. Mok, A data mining framework for adaptive intrusion detection, in: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Los Alamos, CA, 1999, pp. 120-132.
34. Lee W., and Stolfo S. A Framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3 4 (2000) 227-261
35. Liu Y., Chen K., Liao X., et al. "A genetic clustering method for intrusion detection". Pattern Recognition 37 5 (2004) 927-942
36. Eskin E., Arnold A., Prerau M., Portnoy L., and Stolfo S. A Geometric framework for unsupervised anomaly detection. Applications of Data Mining in Computer Security (2002), Kluwer Academics, Dordrecht
37. M. Shyu, S. Chen, K. Sarinnapakorn, L. Chang, A novel anomaly detection scheme based on principal component classifier, in: Proceedings of the IEEE Foundations and New Directions of Data Mining Workshop, in conjunction with the Third IEEE International Conference on Data Mining (ICDM'2003), 2003, pp. 172-179.
38. H. Kayacik, A. Zincir-Heywood, M. Heywood, On the capability of an SOM based intrusion detection system, in: Proceedings of the IEEE International Joint Conference Neural Networks (IJCNN'2003), 2003, pp. 1808-1813.
39. Sarasamma S.T., Zhu Q.A., and Huff J. Hierarchical Kohonenen net for anomaly detection in network security. IEEE Transactions on Systems, Man and Cybernetics, Part B 35 2 (2005) 302-312
40. Lee S.C., and Heinbuch D.V. Training a neural-network based intrusion detector. IEEE Transactions on Systems man and Cybernetics 31 4 (2001) 294-299
41. Giacinto G., Roli F., and Didaci L. Fusion of multiple classifiers for intrusion detection in computer networks. Pattern Recognition Letters 24 5 (2003) 1795-1803
42. MIT Lincoln Laboratory-DARPA Intrusion Detection Evaluation Documentation, , 1999.
43. Rabiner L.R. A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77 2 (1989)
44. Rabiner L.R., and Juang B.H. An introduction to hidden Markov models. IEEE ASSP Magazine (1986)
45. Duda R.O., Hart P.E., and Stork D.G. Pattern Classification. second ed. (2004), China Machine Press, Beijing Feb
46. C. Kruegel, D. Mutz, F. Valeur and G. Vigna, On the detection of anomalous system call arguments, in: Eighth European Symposium on Research in Computer Security (ESORICS'2003), LNCS, Norway, 2003, pp. 101-118.
47. Mutz D., Valeur F., Kruegel C., and Vigna G. Anomalous system call detection. ACM Transactions on Information and System Security 9 1 (2006) 61-93
48. CERT Advisory CA-2001-07 File, Globbing Vulnerabilities in Various FTP Servers, , 2001.
49. Jolliffe I.T. Principal Component Analysis. second ed. (2002), Springer-Verlag, NY
50. Turk M., and Pentland A. Eigenfaces for recognition. Journal of Neuroscience 3 1 (1991) 71-86
51. Golub G.H., and van Loan C.F. Matrix Computation (1996), Johns Hopkins University Press, Baltimore
52. W. Wang, X. Guan, X. Zhang, A novel intrusion detection method based on principal component analysis in computer security, in: Advances in Neural Networks-ISNN2004. International IEEE Symposium on Neural Networks, Dalian, China. LNCS-3174, August 2004, pp. 657-662.
53. W. Wang, R. Battiti, Identifying intrusions in computer networks with principal component analysis, in: Proceedings of the First International Conference on Availability, Reliability and Security (ARES 2006), IEEE Press Society, Vienna, Austria, April 2006, pp. 270-277.
54. K.M.C. Tan, R.A. Maxion, Why 6? Defining the operational limits of stide, an anomaly-based intrusion detector, in: Proceedings of 2002 IEEE Symposium on Security and Privacy, 2002, pp. 188- 201.
55. KDD Cup 1999 Data, , 1999.