First-order versus high-order stochastic models for computer intrusion detection

Nong Ye, Timothy Ehiabor, Yebin Zhang

Research output: Contribution to journalArticle

21 Citations (Scopus)

Abstract

This paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.

Original languageEnglish (US)
Pages (from-to)243-250
Number of pages8
JournalQuality and Reliability Engineering International
Volume18
Issue number3
DOIs
StatePublished - May 2002

Fingerprint

Intrusion detection
Stochastic models
Markov processes
Stochastic model
Testing
Markov chain model

Keywords

  • Anomaly detection
  • Computer security
  • Intrusion detection
  • Markov models

ASJC Scopus subject areas

  • Engineering (miscellaneous)
  • Management Science and Operations Research

Cite this

First-order versus high-order stochastic models for computer intrusion detection. / Ye, Nong; Ehiabor, Timothy; Zhang, Yebin.

In: Quality and Reliability Engineering International, Vol. 18, No. 3, 05.2002, p. 243-250.

Research output: Contribution to journalArticle

@article{b46827810af34ec39a25daccd27a9ea0,
title = "First-order versus high-order stochastic models for computer intrusion detection",
abstract = "This paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.",
keywords = "Anomaly detection, Computer security, Intrusion detection, Markov models",
author = "Nong Ye and Timothy Ehiabor and Yebin Zhang",
year = "2002",
month = "5",
doi = "10.1002/qre.478",
language = "English (US)",
volume = "18",
pages = "243--250",
journal = "Quality and Reliability Engineering International",
issn = "0748-8017",
publisher = "John Wiley and Sons Ltd",
number = "3",

}

TY - JOUR

T1 - First-order versus high-order stochastic models for computer intrusion detection

AU - Ye, Nong

AU - Ehiabor, Timothy

AU - Zhang, Yebin

PY - 2002/5

Y1 - 2002/5

N2 - This paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.

AB - This paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.

KW - Anomaly detection

KW - Computer security

KW - Intrusion detection

KW - Markov models

UR - http://www.scopus.com/inward/record.url?scp=0036575252&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0036575252&partnerID=8YFLogxK

U2 - 10.1002/qre.478

DO - 10.1002/qre.478

M3 - Article

AN - SCOPUS:0036575252

VL - 18

SP - 243

EP - 250

JO - Quality and Reliability Engineering International

JF - Quality and Reliability Engineering International

SN - 0748-8017

IS - 3

ER -