Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

User Profiling for Intrusion Detection Using Dynamic and Static Behavioral Models

  • Conference paper
  • First Online:
Advances in Knowledge Discovery and Data Mining (PAKDD 2002)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 2336))

Included in the following conference series:

Abstract

Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on user profiles built from normal usage data. In particular, user profiles based on Unix shell commands are modeled using two different types of behavioral models. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only. To determine whether a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that static modeling outperforms dynamic modeling for this application. Moreover, the static modeling approach based on cross entropy is similar in performance to instance-based learning reported previously by others for the same dataset but with much higher computational and storage requirements than our method.

This research was supported by the Hong Kong Innovation and Technology Commission (ITC) under project AF/223/98 and the Hong Kong University Grants Committee (UGC) under Areas of Excellence research grant AoE98/99.EG01.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. L.E. Baum, T. Petrie, G. Soules, and N. Weiss. A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Annals of Mathematical Statistics, 41(1):164–171, 1970.

    Article  MathSciNet  MATH  Google Scholar 

  2. C.M. Bishop. Novelty detection and neural network validation. IEE Proceedings: Vision, Image and Signal Processing, 141(4):217–222, 1994.

    Article  Google Scholar 

  3. P.R. Cohen. Empirical Methods for Artificial Intelligence. MIT Press, Cambridge, MA, USA, 1995.

    Google Scholar 

  4. W. J. Daunicht. Autoassociation and novelty detection by neuromechanics. Science, 253(5025):1289–1291, 1991.

    Article  Google Scholar 

  5. A.P. Dempster, N.M. Laird, and D.B. Rubin. Maximum likelihood from incomplete data via the EM algorithm (with discussion). Journal of the Royal Statistical Society, Series B, 39:1–38, 1977.

    MATH  MathSciNet  Google Scholar 

  6. D.E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 13(2):222–232, 1987.

    Article  Google Scholar 

  7. D. Endler. Intrusion detection: applying machine learning to Solaris audit data. In Proceedings of the Fourteenth Annual Computer Security Applications Conference, pages 268–279, Phoenix, AZ, USA, 7–11 December 1998.

    Google Scholar 

  8. S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120–128, Oakland, CA, USA, 6–8 May 1996.

    Google Scholar 

  9. D. Gunetti and G. Ruffo. Intrusion detection through behavioral data. In Proceedings of the Third International Symposium on Intelligent Data Analysis, pages 383–394, Amsterdam, Netherlands, 9–11 August 1999.

    Google Scholar 

  10. G.G. Helmer, J.S.K. Wong, V. Honavar, and L. Miller. Intelligent agents for intrusion detection. In Proceedings of the 1998 IEEE Information Technology Conference — Information Environment for the Future, pages 121–124, Syracuse, NY, USA, 1–3 September 1998.

    Google Scholar 

  11. N. Japkowicz, C. Myers, and M. Gluck. A novelty detection approach to classification. In Proceedings of the Fourteenth International Joint Conference on Artificial Intelligence, volume 1, pages 518–523, Montréal, Quebec, Canada, 20–25 August 1995.

    Google Scholar 

  12. R.W. Johnson and J.E. Shore. Comments on and correction to ‘axiomatic derivation of the principle of maximum entropy and the principle of minimum cross-entropy’ (Jan 80 26–37). IEEE Transactions on Information Theory, 29(6):942–943, 1983.

    Article  MATH  MathSciNet  Google Scholar 

  13. S. Kullback and R.A. Leibler. On information and sufficiency. Annals of Mathematical Statistics, 22:79–86, 1951.

    Article  MathSciNet  MATH  Google Scholar 

  14. T. Lane. Hidden Markov models for human/computer interface modeling. In Proceedings of the IJCAI-99 Workshop on Learning about Users, pages 35–44, Stockholm, Sweden, 31 July 1999.

    Google Scholar 

  15. T. Lane and C.E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In Proceedings of the Fifth ACM Conference on Computer and Communications Security, pages 150–158, San Francisco, CA, USA, 2–5 November 1998.

    Google Scholar 

  16. T. Lane and C.E. Brodley. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security, 2(3):295–331, 1999.

    Article  Google Scholar 

  17. W. Lee and S.J. Stolfo. Data mining approaches for intrusion detection. In Proceedings of the Seventh USENIX Security Symposium, pages 79–93, San Antonio, TX, USA, 26–29 January 1998.

    Google Scholar 

  18. W. Lee, S.J. Stolfo, and K.W. Mok. A data mining framework for building intrusion detection models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120–132, Oakland, CA, USA, 9–12 May 1999.

    Google Scholar 

  19. L.R. Rabiner. A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2):257–286, 1989.

    Article  Google Scholar 

  20. J. Ryan, M.J. Lin, and R. Miikkulainen. Intrusion detection with neural networks. In M.I. Jordan, M.J. Kearns, and S.A. Solla, editors, Advances in Neural Information Processing Systems 10, pages 943–949. MIT Press, 1998.

    Google Scholar 

  21. M. Schonlau and M. Theus. Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters, 76(1/2):33–38, 2000.

    Article  Google Scholar 

  22. J.E. Shore and R.W. Johnson. Axiomatic derivation of the principle of maximum entropy and the principle of minimum cross-entropy. IEEE Transactions on Information Theory, 26(1):26–37, 1980.

    Article  MATH  MathSciNet  Google Scholar 

  23. C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: alternative data models. In Proceedings of the IEEE Symposium on Security and Privacy, pages 133–145, Oakland, CA, USA, 9–12 May 1999.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Hong Kong University of Science and Technology, Hong Kong

    Dit-Yan Yeung & Yuxin Ding

Authors
  1. Dit-Yan Yeung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuxin Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. EE Department, National Taiwan University, No. 1, Sec. 4, Roosevelt Road, Taipei, Taiwan, ROC

    Ming-Syan Chen

  2. IBM Thomas J. Watson Research Center, 30 Sawmill River Road, Hawthorne, NY, 10532, USA

    Philip S. Yu

  3. School of Computing, National University of Singapore, Lower Kent Ridge Road, Singapore, 119260

    Bing Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yeung, DY., Ding, Y. (2002). User Profiling for Intrusion Detection Using Dynamic and Static Behavioral Models. In: Chen, MS., Yu, P.S., Liu, B. (eds) Advances in Knowledge Discovery and Data Mining. PAKDD 2002. Lecture Notes in Computer Science(), vol 2336. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-47887-6_49

Download citation

  • DOI: https://doi.org/10.1007/3-540-47887-6_49

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-43704-8

  • Online ISBN: 978-3-540-47887-4

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation