A survey of intrusion detection techniques
Computers and Security
Learning Program Behavior Profiles for Intrusion Detection
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Mapping maintenance for data integration systems
VLDB '05 Proceedings of the 31st international conference on Very large data bases
On the Effects of Learning Set Corruption in Anomaly-Based Detection of Web Defacements
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hierarchical Classifiers for Complex Spatio-temporal Concepts
Transactions on Rough Sets IX
User identification via process profiling: extended abstract
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Towards insider threat detection using web server logs
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
A Classifier Ensemble Approach to Intrusion Detection for Network-Initiated Attacks
Proceedings of the 2007 conference on Emerging Artificial Intelligence Applications in Computer Engineering: Real Word AI Systems with Applications in eHealth, HCI, Information Retrieval and Pervasive Technologies
A Framework for Large-Scale Detection of Web Site Defacements
ACM Transactions on Internet Technology (TOIT)
Estimating accuracy of mobile-masquerader detection using worst-case and best-case scenario
ICICS'06 Proceedings of the 8th international conference on Information and Communications Security
Intrusion detection via analysis and modelling of user commands
DaWaK'05 Proceedings of the 7th international conference on Data Warehousing and Knowledge Discovery
User modelling for exclusion and anomaly detection: a behavioural intrusion detection system
UMAP'10 Proceedings of the 18th international conference on User Modeling, Adaptation, and Personalization
A proposed model for data warehouse user behaviour using intrusion detection system
ACM SIGSOFT Software Engineering Notes
| Hi-index | 0.00 |
We present and empirically analyze a machine-learning approach for detecting intrusions on individual computers. Our Winnow-based algorithm continually monitors user and system behavior, recording such properties as the number of bytes transferred over the last 10 seconds, the programs that currently are running, and the load on the CPU. In all, hundreds of measurements are made and analyzed each second. Using this data, our algorithm creates a model that represents each particular computer's range of normal behavior. Parameters that determine when an alarm should be raised, due to abnormal activity, are set on a per-computer basis, based on an analysis of training data. A major issue in intrusion-detection systems is the need for very low false-alarm rates. Our empirical results suggest that it is possible to obtain high intrusion-detection rates (95%) and low false-alarm rates (less than one per day per computer), without "stealing" too many CPU cycles (less than 1%). We also report which system measurements are the most valuable in terms of detecting intrusions. A surprisingly large number of different measurements prove significantly useful.