EWMA forecast of normal system activity for computer intrusion detection

Nong Ye, Qiang Chen, Connie M. Borror

Research output: Contribution to journalArticle

46 Scopus citations

Abstract

Intrusions into computer systems have caused many quality/reliability problems. Detecting intrusions is an important part of assuring the quality/reliability of computer systems by quickly detecting intrusions and associated quality/reliability problems in order to take corrective actions. In this paper, we present and compare two methods of forecasting normal activities in computer systems for intrusion detection. One forecasting method uses the average of long-term normal activities as the forecast. Another forecasting method uses the EWMA (exponentially weighted moving average) one-step-ahead forecast. We use a Markov chain model to learn and predict normal activities used in the EWMA forecasting method. A forecast of normal activities is used to detect a large deviation of the observed activities from the forecast as a possible intrusion into computer systems. A Chi square distance metric is used to measure the deviation of the observed activities from the forecast of normal activities. The two forecasting methods are tested on computer audit data of normal and intrusive activities for intrusion detection. The results indicate that the Chi square distance measure with the EWMA forecasting provides better performance in intrusion detection than that with the average-based forecasting method.

Original languageEnglish (US)
Pages (from-to)557-566
Number of pages10
JournalIEEE Transactions on Reliability
Volume53
Issue number4
DOIs
StatePublished - Dec 2004

Keywords

  • Computer audit data
  • Computer security
  • EWMA (exponentially weighted moving average) Forecast
  • Intrusion detection

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'EWMA forecast of normal system activity for computer intrusion detection'. Together they form a unique fingerprint.

  • Cite this