Title :
Rule-based integration of multiple measure-models for effective intrusion detection
Author :
Han, Sang-Jun ; Cho, Sung-Bae
Author_Institution :
Dept. of Comput. Sci., Yonsei Univ., South Korea
Abstract :
As the reliance on computers increases, security of critical computers becomes more important. An IDS detects unauthorized usage and misuse by a local user as well as modification of important data by analyzing system calls, system logs, activation time, and network packets Conventional IDSs based on anomaly detection employ several artificial intelligence techniques to model normal behavior. However, they have the shortcoming that there are undetectable intrusions according to types for each measure and modeling method because each intrusion type results in anomalies. We propose a multiple-measure intrusion detection method to remedy this drawback of conventional anomaly detectors. We measure normal behavior by system calls, resource usage and file access events and build up profiles for normal behavior with a hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has a significantly low false-positive error rate against various types of intrusion.
Keywords :
artificial intelligence; authorisation; hidden Markov models; statistical analysis; HMM; activation time; anomaly detection; artificial intelligence; false positive error rate; hidden Markov model; intrusion detection; modeling method; multiple measure models; network packets; rule base method; rule based integration; statistical method; system calls; system logs; Computer science; Computer security; Data analysis; Data security; Detectors; Expert systems; Hidden Markov models; Intrusion detection; Neural networks; Statistics;
Conference_Titel :
Systems, Man and Cybernetics, 2003. IEEE International Conference on
Print_ISBN :
0-7803-7952-7
DOI :
10.1109/ICSMC.2003.1243802
