Algorithm enhancement for host-based intrusion detection system using discriminant analysis

Algorithm enhancement for host-based intrusion detection system using discriminant analysis

Algorithms for building detection models are usually classified into two categories: misuse detection and anomaly detection. Misuse detection algorithms model know attack behavior. They compare sensor data to attack patterns learned from the training data. Anomaly detection algorithms model normal b...

Full description

Saved in:
Bibliographic Details
Main Author: Dahlan, Dahliyusmanto
Format: Thesis
Language:English
Published: 2004
Subjects:
QA75 Electronic computers
Computer science
Online Access:http://eprints.utm.my/id/eprint/3202/1/DahliyusmantoMFC2004.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-utm-ep.3202
record_format uketd_dc
institution Universiti Teknologi Malaysia
collection UTM Institutional Repository
language English
topic QA75 Electronic computers
Computer science
spellingShingle QA75 Electronic computers
Computer science
Dahlan, Dahliyusmanto
Algorithm enhancement for host-based intrusion detection system using discriminant analysis
description Algorithms for building detection models are usually classified into two categories: misuse detection and anomaly detection. Misuse detection algorithms model know attack behavior. They compare sensor data to attack patterns learned from the training data. Anomaly detection algorithms model normal behavior. Anomaly detection models compare sensor data to normal patterns learned from the training data by using statistical method and try to detect activity that deviates from normal activity. Although Anomaly IDS might be complete, its accuracy is questionable since this approach suffers from a high false positive alarm rate and misclassification. This thesis expects an enhancement algorithm to be able to reduce a false positive alarm and misclassification rate. This research investigated a discriminant analysis method for detecting intrusions based on number of system calls during an activity on host machine. This method attempts to separate intrusions from normal activities. This research detects intrusions by analyzing at least system call occurring on activities, and can also tell whether an activity is an intrusion. The focus of this analysis is on original observations that performed a detecting outlier and power transformation to transform not normally distributed data to near normality. The correlation of each system calls are examined using coefficient correlations of each selected system call variables. This approach is a lightweight intrusion detection method, given that requires only nine system calls that are strongly correlated to intrusions for analysis. Moreover, this approach does not require user profiles or a user activity database in order to detect intrusions. Lastly, this method can reduce a high false positive alarm rate and misclassification for detecting process.
format Thesis
qualification_level Master's degree
author Dahlan, Dahliyusmanto
author_facet Dahlan, Dahliyusmanto
author_sort Dahlan, Dahliyusmanto
title Algorithm enhancement for host-based intrusion detection system using discriminant analysis
title_short Algorithm enhancement for host-based intrusion detection system using discriminant analysis
title_full Algorithm enhancement for host-based intrusion detection system using discriminant analysis
title_fullStr Algorithm enhancement for host-based intrusion detection system using discriminant analysis
title_full_unstemmed Algorithm enhancement for host-based intrusion detection system using discriminant analysis
title_sort algorithm enhancement for host-based intrusion detection system using discriminant analysis
granting_institution Universiti Teknologi Malaysia
granting_department Computer Systems and Communications
publishDate 2004
url http://eprints.utm.my/id/eprint/3202/1/DahliyusmantoMFC2004.pdf
_version_ 1747814441665167360
spelling my-utm-ep.32022018-06-26T07:56:19Z Algorithm enhancement for host-based intrusion detection system using discriminant analysis 2004-07-20 Dahlan, Dahliyusmanto QA75 Electronic computers. Computer science Algorithms for building detection models are usually classified into two categories: misuse detection and anomaly detection. Misuse detection algorithms model know attack behavior. They compare sensor data to attack patterns learned from the training data. Anomaly detection algorithms model normal behavior. Anomaly detection models compare sensor data to normal patterns learned from the training data by using statistical method and try to detect activity that deviates from normal activity. Although Anomaly IDS might be complete, its accuracy is questionable since this approach suffers from a high false positive alarm rate and misclassification. This thesis expects an enhancement algorithm to be able to reduce a false positive alarm and misclassification rate. This research investigated a discriminant analysis method for detecting intrusions based on number of system calls during an activity on host machine. This method attempts to separate intrusions from normal activities. This research detects intrusions by analyzing at least system call occurring on activities, and can also tell whether an activity is an intrusion. The focus of this analysis is on original observations that performed a detecting outlier and power transformation to transform not normally distributed data to near normality. The correlation of each system calls are examined using coefficient correlations of each selected system call variables. This approach is a lightweight intrusion detection method, given that requires only nine system calls that are strongly correlated to intrusions for analysis. Moreover, this approach does not require user profiles or a user activity database in order to detect intrusions. Lastly, this method can reduce a high false positive alarm rate and misclassification for detecting process. 2004-07 Thesis http://eprints.utm.my/id/eprint/3202/ http://eprints.utm.my/id/eprint/3202/1/DahliyusmantoMFC2004.pdf application/pdf en public masters Universiti Teknologi Malaysia Computer Systems and Communications Allen, J., Christie, A., Fithen, W., Jhon, M. H., Pickel, J., and Stoner, E. (2000). State of the Practice of Intrusion Detection Technologies. Technical Report. CMU/SEI-99-TR-028 ESC-99-028. Amoroso, E. G. (1999). An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. Intrusion.net Books. Anderson, J. P. (1980). Computer Security Threat Monitoring and Surveillance. Technical Report. Fort Washington, Pennsylvania. Anderson, T. W. (2003). An Introduction to Multivariate Statistical Analysis. 3rd edition. New York, N. Y.: John Willey & Sons. Attkitson, A. C. (1994). Fast Very Robust Method for Detection of Multiple Outliers. JASA. 89: 1329-1339. Axellson, S., Lindqvist, U., Gustafson, U., and Jonsson, E. (1998). An Approach to UNIX security logging. Proceedings of the 21st National Information System Security Conference. 5-8 October. Arlington, V. A: 62-75. Axellson, S. (1999). Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 98-17, Department of Computer Engineering, Chalmers University. Bace, R., and Mell, P. (2001). Intrusion Detection System (IDS). NIST Special Publication. Bellovin, M. S., Cheswik and William, R. (1994). Firewalls and Internet Security, Repelling the Wily Hacker. Addison Wesley Professional Publishing Company, 76. Billor, N., Hadi, A. S., and Velleman, P. F. (2000). Bacon: Blocked adaptive computationally efficient outlier nominators. Computational Statistic & Data Analysis. 34(3): 279-298. Buntine, W., and Jakulin, A. (2004). Applying Discrete PCA in Data Analysis. Proceedings of the 20th Conference on Uncertainty in Artificial Intelligence. July 711. Campbell, P., Calvert, B., and Boswell, S. (2003). Security+ Guide to Network Security Fundamentals. Canada: Cisco Learning Institute. Cannady, J., and Harrel, J. (1996). A Comparative analysis of Current Intrusion Detection Technologies. Proceedings of the 4th Technology for Information Security Conference’96 (TISC’96). May. Houston. Carol, T., and Jim, A. F. (2002). Network Analysis of Anomalous Traffic Events (NATE). Proceedings of the Review of New Security Paradigms 2002 Workshop Papers. September 23-26. Virginia Beach, USA. Carrasco, R. C., and Oncina, J. (1994). Learning Stochastic Regular Grammars by Means of a State Merging Method. Proceedings of the 2nd International ICGI Colloquium on Grammatical Interference and Application. Alicante, Spain. 139-152. Chan, P., and Tandon, G. (2003). Learning Rules form System Call Arguments and Sequences for Anomaly Detection. Proceedings of the ICDM Workshop on Data Mining for Computer Security (DMSEC). Florida. Chapple, M. J. (2000). Network Intrusion Detection Utilizing Classification Trees. Computer Science Department. University of Idaho. .Master Thesis. CERT/CC (2004). CERT/CC Statistic Report 1988-2004. http://www.cert.org/stats/ Chen, K., Teng, H. S., and Lu, S. C. (1990). Adaptive Real-Time Anomaly Detection using Inductively Generated Sequential Patterns. Proceedings of the IEEE Symposium on Research in Security and Privacy. Oakland, C. A.: IEEE, 278-284. Chen, L., and Man, H. (2003). Discriminant Analysis of Stochastic Models and Its Application to face recognition. Proceedings of the IEEE International Workshop on Analysis and Modeling of Face and Gestures. October 17. Nice, France. Cheswick, B. (1992). An Evening with Berferd: In Which a Cracker is Lured, Endured, and Studied. Proceedings of the Winter USENIX Conference. January 20. San Francisco. Damashek, M. (1995). Gauging Similarity with n-grams: Language independent categorization of Text. Journal of Science. 267: 843-848. David, W. S. (1998). Multivariate Statistics: Concepts, Models, and Applications. WWW Version 1.0, Southwest Missouri State University. First Published July 1997, Revised July. Debar, H., Dacier, M., and Wespi, A. (1999). Towards a Taxonomy of Intrusion Detection Systems. Computer Networks. 31: 805-822. Denning, D. E. (1987). An intrusion-detection model. Proceedings of the. IEEE Transactions on Software Engineering. 13(2): 222-232. Endler, D. (1998). Intrusion Detection Applying Machine Learning to Solaris Audit Data. Proceedings of the 1998 Annual Computer security Application Conference (ACSAC’98). December 07-11. Phoenix, Arizona. Escamilla, T. (1998). Intrusion Detection: Network Security beyond the Firewall. New York, N. Y.: John Willey & Sons. Eskin, E. (2000). Anomaly Detection Over Noisy Data Using Learned Probability Distributions. Proceedings of the Seventeenth International Conference on Machine Learning (ICML-2000). Eskin, E., Miller, M., Zhong, Z., Yi, G., Lee. W., and Stolfo, S. J. (2000). Adaptive Model Generation of Intrusion Detection. Proceedings of the ACM CCS Workshop on Intrusion Detection and Prevention. Athens, Greece. Eskin, E., Lee, W., and Stolfo, S. J. (2001). Modelling Anomaly detection over noisy data using learned probability distributions System Calls for Intrusion Detection with Dynamic Window Sizes. Proceedings of the DARPA Conference and Exposition on Information Survivability (Discex’01). IEEE, 165-175. Fisher, R. A. (1993). The Statistical Utilization of Multiple Measurements. Journal Annals of Eugenics. 8: 376-386. Forrest, S., Hafmeyr, S. A., Somayaji, A., and LongStaff, T. A. (1996). A Sense of Self for UNIX Processes. Proceedings of the IEEE Symposium on Computer Security and Privacy. IEEE Transaction on Software Engineering, 13(2): 222-232. Forrest, S., Haymers, S. A., and Somayaji, A. (1998). Intrusion Detection using Sequences of System Calls. Journal of Computer Security. 6: 151-180. Forrest, S., Warrender, C., and Pearlmutter, B. (1999). Detecting Intrusion Using System Calls: Alternative Data Models. Proceedings of the IEEE Symposium on Security and Privacy. May 09-12. Oakland, C. A. IEEE Computer Society, 133-145. Frank, J. (1994). Artificial Intelligence and Intrusion Detection: Current and Future Directions. Proceedings of the 17th National Computer Security Conference. October. Garfinkel, T. (2003). Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. Proceedings of the 10th Annual Network and Distributed System Security Symposium. San Diego, CA. Ghost, A. K., Schwartzbard, A., and Schatz, M. (1999). Learning Program Behavior Profiles for Intrusion Detection. Proceedings of the workshop on Intrusion Detection and Network Monitoring. April 9-12. Santa Clara, California: USENIX Association, 51-62. Halmer, L. R., and Bauer, K. R. (1995). AINT misbehaving – A taxonomy of Anti-Intrusion Techniques. Proceedings of the 18th National Information System Security Conference. October 1995. Baltimore M. D.: 163-172. Hawkins, D. M. (1980). Identification of Outliers. London, UK: Chapman and Hall. Heady, R., Luger, G., Maccabe, A., and Servilla, M. (1990). The architecture of a network level intrusion detection system. Technical Report CS90-20, Department of Computer Science, University of New Mexico. August. Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., Wood, J., and Wolber, D. (1990). A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy. Oakland, C. A. Himber, J. (2004). From Insight to Innovations: Data Mining, Visualization, and User Interface. Computer Science and Engineering Department. HelsinkiUniversity of Technology. Ph.D Dissertation. Jain, K., and Sekar, R. (2000). User-Level Infrastructure for System Call Interposition: A Platform for Intrusion Detection and Confinement. Proceedings of the Network and Distributed System Security (NDSS) Symposium. San Diego, C. A. Javitz, H. S., and Valdes, A. (1991). The SRI IDES Statistical Anamaly Detector. Proceedings of the IEEE Symposium on Security and Privacy. Oakland, C. A. 316326. Javitz, H. S., Valdez, A., Lunt, T., and Tyson, M. (1993). Next Generation Intrusion Detection Expert System (NIDES): Rationales. Technical Report, SRI International. Javitz, H. S., and Valdes, A. (1994). The NIDES Statistical Component: Description and Justification. Technical Report, Computer Science Lab, SRI International. Menlo Park, C. A. Jhonson, R. A., and Wichern, D. W. (1998). Applied Multivariate Statistical Analysis, 4th ed. New Jersey: Prentice Hall. Ko. C., Ruschitzka, M., and Levit, K. (1997). Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specefication-Based Approach. Proceedings of the IEEE Symposium on Security and Privacy. 134-144. Kosoresow, A. P., and Hofmeyr, S. A. (1997). A Shape of Self for UNIX Process. Journal of IEEE Software. September-October, 14(5): 35-42. Lane, T., and Brodley, C. E. (1997). An Application of Machine Learning to Anomaly Detection. Proceedings of the 20th National Information System Security Conference. Baltimore, M.D.: 366-377. Lee, Sang-Hoon (2001). Discriminant Function Analysis for Categorization of Best Practices. Faculty of the Graduate School of the University of Texas at Austin. Ph.D Dissertation. Lee, T. (2004). Hybrid Approaches for Face Recognition Using Principal Component Aalysis. Computer Science Department. Southern Connecticut State University. Master Thesis. Lee, W., Stolfo S. J., and Chan P. K. (1997). Learning Patterns from UNIX Process execution traces for intrusion detection. In AAAI Workshop on AI Approaches to fraud detection and Risk Management. AAI Press, 50-56. Lee, W., and Stolfo, S. J. (1998). Data Mining Approaches for Intrusion Detection. Proceedings of the 7th USENIX Security Symposium. San Antonio Texas. Lundin, E., and Jonsson, E. (2000). Anomaly-based Intrusion Detection: Privacy Concerns and Other Problems. Journal of Computer Networks. Elsevier. 34(4): 623640. Lunt, T. F. (1988). Automated Audit Trail Analysis and Intrusion Detection: A Survey. Proceedings of the 11th National Computer Security Conference. October. 65-73. Lunt, T. F., Tamaru, A., Gilahm ,F., Jagannathan, R., Neumann, P. G., Javitz, H. S., Valdes, A., and Garvey, T. D. (1992). A Real-time Intrusion Detection Expert System (IDES) – Final Technical Report. Technical Report, SRI International. Lunt, T. F. (1993). A Survey of Intrusion Detection Techniques. Journal of Computers and Security. 12(4): 405-418. Mell, P., Hu, V., Lippman, R., Haines, J., and Zissman, M. (2003). An Overview of Issues in Testing Intrusion Detection Systems. NIST Interogency Report (NISTR) 7007. Midori, A., Takefumi., O., Tadeshi, I., Shunji, O., and Shigeki, G. (2001). A new Intrusion Detection Method Based on Discrininant Analysis. IEICE Trans. on Info. & Syst. E84-B(5): 570-577. Mukherjee, B., Heberlein, L. T., and Levitt, K. N. (1994). Network Intrusion Detection. Journal of IEEE Network. 8(3): 26-41. Neumann, P. G., and Porras, P. A. (1999). Experience with EMERALD to date. Proceedings of 1st USENIX Workshop on Intrusion Detection and Network Monitoring. Santa Clara, C. A. Nguyen, M., Reiher, P., and Kuenning, G. H. (2003). Detecting Insider Threats by Monitoring System Call Activity. In proceedings of the IEEE, Workshop on Information Insurance. New York, N. Y. Porras, P. A., Lindqvist, U., Moran, D., and Tyson, M. (1998). Designing IDLE: The Intrusion Data Library Enterprise. Proceedings of the First International Workshop on the Recent Advances in Intrusion Detection (RAID’98). September 14-16. Belgium. Provost, N. (2003). Improving Host Security with System Call Policies. In Proceedings of the 12th USENIX Security Symposium. Washington, D. C. Rafiudin, R. (2002). Menguasai Security UNIX: Panduan Bagi Administrator UNIX untuk Memproteksi Situs Internet dan Jaringan. Jakarta, I. D.: PT. Elex Media Komputindo. Rocke, D. M., and Woodruff, D. L. (1996). Identification of Outliers in Multivariate Data. JASA. 91(435): 1047-1061. Ron, D., Singer, Y., and Tishby, N. (1996). The Power of Amnesia: Learning Probabilistic Automata with Variable Memory Length. Journal of Machine Learning. 25(2-3): 117-149. Rousseeuw, P. J., and Drissen, K. V. (1999). A Fast Algorithm for the Minimum Covariance Determinant Estimator. Technometrics. 41: 212-223. Sampson, P. H., Treizt, P. M. and Mohammed, G. H. (2001). Remote Sensing of Forest Condition in Tolerant Hardwoods: An Examination of Spatial Scale, Structure and Function. Canadian Journal of Remote Sensing. 27(3): 232-246. Sebring, M., Shellhouse, E., Hanna, M., and Whitehurst, R. (1988). Expert Systems in Intrusion Detection: A Case Study. Proceedings of the 11th National Computer Security Conference. October. Baltimore, M. D.: 85-91. Scot, A. C. (2001). Computer-based Monitoring/Fault Detection Using Principal Component analysis. Computer Engineering and Computer Science Department. University of Louisville. Master Tesis. Somayaji, A., and Forrest, S. (2000). Automated Response Using System-Call Delays. Proceedings of the 9th USENIX Security Symposium. Devner, Colorado: USA. Spafford, E., and Kumar, S. (1994). An Application of Pattern Matching in Intrusion Detection. Technical Report CSD-TR-94-013. Department Computer of Science, Purdue University. Stillerman, M., Marceau, C., and Stillman, M. (1999). Intrusion Detection for Distributed Applications. Communications of the ACM. 42(7): 62-69. Sundaram, A. (2001). An Introduction to Intrusion Detection. Electronic Publication on ACM Crossroads Student Magazine. Teng, H. S., Chen, K., and Lu, S. C. (1990). Security Audit Trail Analysis Using Inductively Generated Predictive Rules. Proceedings of the 6th conference on Artificial Intelligence Applications. Piscataway, N. J: IEEE Service Centre, 24-29. Vaccarro, H. S., and Liepins, G. E. (1989). Detecting of Anomalous Computer Session Activity. Proceedings of the 1989 IEEE Symposium on Security and Privacy. Oakland, C.A. 280-289. Wagner, D., and Soto, P. (2002). Mimicry Attacks on Host-Based Intrusion Detection Systems. Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS) 2002. November 18-22. Washington DC, USA. 255-264. Wu, S. F., Chang, H. C., Jou, F., Wang, F., Gong, F., Sargor, C., Au, D., Cheaveland, R. (1999). Ji-Nao: Design and Implementation of Scalable Intrusion Detection System for the OSPF Routing Protocol. www.anr.mcnc.org. Zamboni, D. (1999). New Directions for the AAFID Architecture. Proceedigs of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID). September 7-9. Indiana, USA. Zang, M. (2000). Discriminant Analysis and Its Application in DNA Sequences Motif Recognition. Briefing in Bioinformatics, 1(4): 00-00.

Similar Items