Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data

Wei Wang*, Xiaohong Guan, Xiangliang Zhang, Liwei Yang

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

64 Scopus citations

Abstract

Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Original languageEnglish (US)
Pages (from-to)539-550
Number of pages12
JournalComputers and Security
Volume25
Issue number7
DOIs
StatePublished - Oct 2006
Externally publishedYes

Keywords

  • Anomaly detection
  • Computer audit data
  • Computer security
  • Hidden Markov models
  • Intrusion detection
  • Profiling
  • Self organizing maps

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data'. Together they form a unique fingerprint.

Cite this