Probabilistic techniques for intrusion detection based on computer audit data

Nong Ye, Xiangyang Li, Qiang Chen, Syed Masum Emran, Mingming Xu

Research output: Contribution to journalArticle

157 Scopus citations

Abstract

This paper presents a series of studies on probabilistic properties of activity data in an information system for detecting intrusions into the information system. Various probabilistic techniques of intrusion detection, including decision tree, Hotelling's T 2 test, chi-square multivariate test, and Markov chain are applied to the same training set and the same testing set of computer audit data for investigating the frequency property and the ordering property of computer audit data. The results of these studies provide answers to several questions concerning which properties are critical to intrusion detection. First, our studies show that the frequency property of multiple audit event types in a sequence of events is necessary for intrusion detection. A single audit event at a given time is not sufficient for intrusion detection. Second, the ordering property of multiple audit events provides additional advantage to the frequency property for intrusion detection. However, unless the scalability problem of complex data models taking into account the ordering property of activity data is solved, intrusion detection techniques based on the frequency property provide a viable solution that produces good intrusion detection performance with low computational overhead.

Original languageEnglish (US)
Pages (from-to)266-274
Number of pages9
JournalIEEE Transactions on Systems, Man, and Cybernetics Part A:Systems and Humans.
Volume31
Issue number4
DOIs
StatePublished - Jul 1 2001

    Fingerprint

Keywords

  • Anomaly detection
  • Computer audit data
  • Intrusion detection
  • Pattern recognition

ASJC Scopus subject areas

  • Software
  • Control and Systems Engineering
  • Human-Computer Interaction
  • Computer Science Applications
  • Electrical and Electronic Engineering

Cite this