Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data

Wei Wang*, Xiaohong Guan, Xiangliang Zhang, Liwei Yang

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

60 Scopus citations

Abstract

Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Original languageEnglish (US)
Pages (from-to)539-550
Number of pages12
JournalComputers and Security
Volume25
Issue number7
DOIs
StatePublished - Oct 1 2006

Keywords

  • Anomaly detection
  • Computer audit data
  • Computer security
  • Hidden Markov models
  • Intrusion detection
  • Profiling
  • Self organizing maps

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Fingerprint Dive into the research topics of 'Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data'. Together they form a unique fingerprint.

Cite this