zbMATH — the first resource for mathematics

Examples
Geometry Search for the term Geometry in any field. Queries are case-independent.
Funct* Wildcard queries are specified by * (e.g. functions, functorial, etc.). Otherwise the search is exact.
"Topological group" Phrases (multi-words) should be set in "straight quotation marks".
au: Bourbaki & ti: Algebra Search for author and title. The and-operator & is default and can be omitted.
Chebyshev | Tschebyscheff The or-operator | allows to search for Chebyshev or Tschebyscheff.
"Quasi* map*" py: 1989 The resulting documents have publication year 1989.
so: Eur* J* Mat* Soc* cc: 14 Search for publications in a particular source with a Mathematics Subject Classification code (cc) in 14.
"Partial diff* eq*" ! elliptic The not-operator ! eliminates all results containing the word elliptic.
dt: b & au: Hilbert The document type is set to books; alternatively: j for journal articles, a for book articles.
py: 2000-2015 cc: (94A | 11T) Number ranges are accepted. Terms can be grouped within (parentheses).
la: chinese Find documents in a given language. ISO 639-1 language codes can also be used.

Operators
a & b logic and
a | b logic or
!ab logic not
abc* right wildcard
"ab c" phrase
(ab c) parentheses
Fields
any anywhere an internal document identifier
au author, editor ai internal author identifier
ti title la language
so source ab review, abstract
py publication year rv reviewer
cc MSC code ut uncontrolled term
dt document type (j: journal article; b: book; a: book article)
Host-based intrusion detection using dynamic and static behavioral models. (English) Zbl 1007.68952
Summary: Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on program or user profiles built from normal usage data. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled using two different types of behavioral models for data mining. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only, as opposed to the classification approach which has to use both normal and intrusion data for training. To determine whether or not a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that the dynamic modeling approach is better than the static modeling approach for the system call datasets, while the dynamic modeling approach is worse for the shell command datasets. Moreover, the static modeling approach is similar in performance to instance-based learning reported previously by others for the same shell command database but with much higher computational and storage requirements than our method.

MSC:
68U99Computing methodologies
68T10Pattern recognition, speech recognition
WorldCat.org
Full Text: DOI
References:
[1] Denning, D. E.: An intrusion-detection model. IEEE trans. Software eng. 13, No. 2, 222-232 (1987)
[2] Debar, H.; Dacier, M.; Wespi, A.: Towards a taxonomy of intrusion-detection systems. Comput. networks 31, No. 8, 805-922 (1999)
[3] Duda, R. O.; Hart, P. E.; Stork, D. G.: Pattern classification. (2001) · Zbl 0968.68140
[4] S. Forrest, S.A. Hofmeyr, A. Somayaji, T.A. Longstaff, A sense of self for Unix processes, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 6--8 May, 1996, pp. 120--128.
[5] D. Endler, Intrusion detection: applying machine learning to Solaris audit data. Proceedings of the Fourteenth Annual Computer Security Applications Conference, Phoenix, AZ, USA, 7--11 December, 1998, pp. 268--279.
[6] G.G. Helmer, J.S.K. Wong, V. Honavar, L. Miller, Intelligent agents for intrusion detection. Proceedings of the 1998 IEEE Information Technology Conference--Information Environment for the Future, Syracuse, NY, USA, 1--3 September 1998, pp. 121--124.
[7] W. Lee, S.J. Stolfo, Data mining approaches for intrusion detection, Proceedings of the Seventh USENIX Security Symposium, San Antonio, TX, USA, 26--29 January 1998, pp. 79--93.
[8] C. Warrender, S. Forrest, B. Pearlmutter, Detecting intrusions using system calls: alternative data models. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 9--12 May 1999, pp. 133--145.
[9] Ryan, J.; Lin, M. J.; Miikkulainen, R.: Intrusion detection with neural networks. Advances in neural information processing systems, vol. 10 10, 943-949 (1998)
[10] D. Gunetti, G. Ruffo, Intrusion detection through behavioral data. Proceedings of the Third International Symposium on Intelligent Data Analysis, Amsterdam, Netherlands, 9--11 August 1999, pp. 383--394.
[11] T. Lane, Hidden Markov models for human/computer interface modeling, Proceedings of the IJCAI-99 Workshop on Learning about Users, Stockholm, Sweden, 31 July 1999, pp. 35--44.
[12] Lane, T.; Brodley, C. E.: Temporal sequence learning and data reduction for anomaly detection. ACM trans. Inform. system secur. 2, No. 3, 295-331 (1999)
[13] W. Lee, S.J. Stolfo, K.W. Mok, A data mining framework for building intrusion detection models, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 9--12 May 1999, pp. 120--132.
[14] Schonlau, M.; Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Inform. process. Lett. 76, No. 1/2, 33-38 (2000)
[15] Daunicht, W. J.: Autoassociation and novelty detection by neuromechanics. Science 253, No. 5025, 1289-1291 (1991)
[16] Bishop, C. M.: Novelty detection and neural network validation. IEE proc.: vision image signal process. 141, No. 4, 217-222 (1994)
[17] N. Japkowicz, C. Myers, M. Gluck, A novelty detection approach to classification, Proceedings of the Fourteenth International Joint Conference on Artificial Intelligence, Vol. 1, Montréal, Quebec, Canada, 20--25 August 1995, pp. 518--523.
[18] T. Lane, C.E. Brodley, Temporal sequence learning and data reduction for anomaly detection, Proceedings of the Fifth ACM Conference on Computer and Communications Security, San Francisco, CA, USA, 2--5 November 1998, pp. 150--158.
[19] Rabiner, L. R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77, No. 2, 257-286 (1989)
[20] Dempster, A. P.; Laird, N. M.; Rubin, D. B.: Maximum likelihood from incomplete data via the EM algorithm (with discussion). J. roy. Statist. soc. Ser. B 39, 1-38 (1977) · Zbl 0364.62022
[21] Baum, L. E.; Petrie, T.; Soules, G.; Weiss, N.: A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. Annals of mathematical statistics 41, No. 1, 164-171 (1970) · Zbl 0188.49603
[22] Shore, J. E.; Johnson, R. W.: Axiomatic derivation of the principle of maximum entropy and the principle of minimum cross-entropy. IEEE transactions on information theory 26, No. 1, 26-37 (1980) · Zbl 0429.94011
[23] Johnson, R. W.; Shore, J. E.: Comments on and correction to ’axiomatic derivation of the principle of maximum entropy and the principle of minimum cross-entropy’ (Jan 80 26--37). IEEE transactions on information theory 29, No. 6, 942-943 (1983) · Zbl 0532.94004
[24] Kullback, S.; Leibler, R. A.: On information and sufficiency. Ann. math. Statist. 22, 79-86 (1951) · Zbl 0042.38403
[25] Cohen, P. R.: Empirical methods for artificial intelligence. (1995) · Zbl 0850.68260