Abstract
Intrusion detection systems (IDS) aim to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Attacks against computer systems are still largely successful despite the plenty of intrusion prevention techniques available. This paper presents an IDS based on anomaly detection using several AI techniques. Anomaly detection models normal behaviors and attempts to detect intrusions by noting significant deviations from normal behavior. Raw audit data are preprocessed and reduced into appropriate size and format using Self-Organizing Map (SOM). Different aspects of a sequence of events are modeled by several hidden Markov models (HMMs), and a voting technique combines the models to determine whether current behavior is normal or not. Several experiments are conducted to explore the optimal data reduction and modeling method. For the optimal measures, system call and file access related measures are found useful and overall performance depends on the map size for each measure. Voting technique leads to more reliable detection rate.
This work is supported in part by a grant from the Korea Information Security Agency.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Reference
S. Forrest, S.A. Hofmeyr and A. Somayaji, “Computer immunology,” CACM, vol. 40,no. 10, pp. 88–96, October 1997
A.K. Ghosh, A. Schwartzbard and M. Schatz, “Learning program behavior profiles for intrusion detection,” Proc. Workshop on Intrusion Detection and Network Monitoring, pp. 51–62, Santa Clara, USA, April 1999
K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State transition analysis: A rule-based intrusion detection system,” IEEE Trans. on Software Engineering, vol. 21,no. 3, March 1995
J.S.R. Jang, “Fuzzy Inference System,” Neuro-Fuzzy and Soft Computing, Prentice-Hall, NJ, 1997
T. Kohonen, Self-Organizing Maps, Springer Press, 1995
T. Lane and C.E. Brodley, “Temporal sequence learning and data reduction for anomaly detection,” Proc. ACCS’ 98, pp. 150–158, 1997
W. Lee, S. Stolfo, and P. Chan, “Learning patterns from Unix process execution traces for intrusion detection,” Proc. AAAI97 Workshop on AI Methods in Fraud and Risk Management, 1997
T.F. Lunt, “A survey of intrusion detection techniques,” Computer & Security, vol. 12,no. 4, pp. 405–418, June 1993
P.A. Porras and P.G. Neumann, “Emerald: Event monitoring enabling responses to anomalous live disturbances,” Proc. 20th NISSC, pp. 353–365, October 1997
L.R. Rabiner, “A tutorial on hidden Markov models and selected applications in speech recognition,” Proc. of the IEEE, vol. 77,no. 2, pp. 257–286, February 1989
Sunsoft, Solaris 2.5 Sunshield Basic Security Module Guide, 1995
G. Vigna and R.A. Kemmerer, “Netstat: A network-based intrusion detection approach,” Proc. NISSC’98, pp. 338–347, October 1998
C. Warrender, S. Forrest and B. Pearlmutter, “Detecting intrusions using system calls: Alternative data models,” Proc. IEEE Symposium on Security and Privacy, pp. 133–145, May 1999
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Choy, J., Cho, SB. (2001). Anomaly Detection of Computer Usage Using Artificial Intelligence Techniques. In: Kowalczyk, R., Loke, S.W., Reed, N.E., Williams, G.J. (eds) Advances in Artificial Intelligence. PRICAI 2000 Workshop Reader. PRICAI 2000. Lecture Notes in Computer Science(), vol 2112. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45408-X_5
Download citation
DOI: https://doi.org/10.1007/3-540-45408-X_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42597-7
Online ISBN: 978-3-540-45408-3
eBook Packages: Springer Book Archive