Multivariate statistical analysis of audit trails for host-based intrusion detection

Nong Ye, Syed Masum Emran, Qiang Chen, Sean Vilbert

Research output: Contribution to journalArticle

179 Scopus citations

Abstract

Intrusion detection complements prevention mechanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's T 2 test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's T 2 test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's T 2 test signals all the intrusion sessions and produces no false alarms for the normal sessions For the large data set, the Hotelling's T 2 test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's T 2 test is also compared with the performance of a more scalable multivariate technique - a chi-squared distance test.

Original languageEnglish (US)
Pages (from-to)810-820
Number of pages11
JournalIEEE Transactions on Computers
Volume51
Issue number7
DOIs
StatePublished - Jul 1 2002

Keywords

  • Chi-square test
  • Computer security
  • Hotelling's T test
  • Intrusion detection
  • Multivariate statistical analysis

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Hardware and Architecture
  • Computational Theory and Mathematics

Fingerprint Dive into the research topics of 'Multivariate statistical analysis of audit trails for host-based intrusion detection'. Together they form a unique fingerprint.

  • Cite this