Profiling program and user behaviors for anomaly intrusion detection based on non-negative matrix factorization

Wei Wang*, Xiaohong Guan, Xiangliang Zhang

*Corresponding author for this work

Research output: Contribution to journalConference articlepeer-review

17 Scopus citations

Abstract

Profiling program and user behaviors is an effective approach for detecting hostile attacks to a computer system. A new model based method by Non-negative Matrix Factorization (NMF) is presented in this paper to profile program and user behaviors for anomaly intrusion detection. In this new method, the audit data streams obtained from sequences of system calls and UNIX commands are used as the information source. The audit data is partitioned into segments with a fixed length. Program and user behaviors are, in turn, measured by the frequencies of individual system calls or commands embedded in each segment of the data, and NMF is applied to extract the features from the blocks of audit data associated with the normal behaviors. The model describing the normal program and user behaviors is built based on these features and deviation from the normal program and user behaviors above a predetermined threshold is considered as anomalous. The method is implemented and tested with the system call data from the University of New Mexico and the Unix command data from AT&T Research lab. Experiment results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Original languageEnglish (US)
Article numberTuA03.5
Pages (from-to)99-104
Number of pages6
JournalProceedings of the IEEE Conference on Decision and Control
Volume1
StatePublished - 2004
Externally publishedYes
Event2004 43rd IEEE Conference on Decision and Control (CDC) - Nassau, Bahamas
Duration: Dec 14 2004Dec 17 2004

Keywords

  • Anomaly detection
  • Computer security
  • Intrusion detection
  • Non-negative matrix factorization
  • Profiling
  • Shell command
  • System call

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Modeling and Simulation
  • Control and Optimization

Fingerprint

Dive into the research topics of 'Profiling program and user behaviors for anomaly intrusion detection based on non-negative matrix factorization'. Together they form a unique fingerprint.

Cite this