IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Empirical methods for artificial intelligence
Empirical methods for artificial intelligence
Temporal sequence learning and data reduction for anomaly detection
CCS '98 Proceedings of the 5th ACM conference on Computer and communications security
Intrusion detection with neural networks
NIPS '97 Proceedings of the 1997 conference on Advances in neural information processing systems 10
Temporal sequence learning and data reduction for anomaly detection
ACM Transactions on Information and System Security (TISSEC)
Detecting masquerades in intrusion detection based on unpopular commands
Information Processing Letters
Intrusion Detection through Behavioral Data
IDA '99 Proceedings of the Third International Symposium on Advances in Intelligent Data Analysis
Intrusion Detection Applying Machine Learning to Solaris Audit Data
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
A Sense of Self for Unix Processes
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A novelty detection approach to classification
IJCAI'95 Proceedings of the 14th international joint conference on Artificial intelligence - Volume 1
Monitoring mission critical data for integrity and availability
Integrity and internal control in information systems V
Intrusion detection using continuous time Bayesian networks
Journal of Artificial Intelligence Research
| Hi-index | 0.00 |
Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on user profiles built from normal usage data. In particular, user profiles based on Unix shell commands are modeled using two different types of behavioral models. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only. To determine whether a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that static modeling outperforms dynamic modeling for this application. Moreover, the static modeling approach based on cross entropy is similar in performance to instance-based learning reported previously by others for the same dataset but with much higher computational and storage requirements than our method.