Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix

  • Mizuki Oka
  • Yoshihiro Oyama
  • Hirotake Abe
  • Kazuhiko Kato
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3224)


Anomaly detection is a promising approach to detecting intruders masquerading as valid users (called masqueraders). It creates a user profile and labels any behavior that deviates from the profile as anomalous. In anomaly detection, a challenging task is modeling a user’s dynamic behavior based on sequential data collected from computer systems. In this paper, we propose a novel method, called Eigen co-occurrence matrix (ECM), that models sequences such as UNIX commands and extracts their principal features. We applied the ECM method to a masquerade detection experiment with data from Schonlau et al. We report the results and compare them with results obtained from several conventional methods.


Anomaly detection User behavior Co-occurrence matrix PCA Layered networks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lunt, T.F.: A survey of intrusion detection techniques. Computers and Security 12, 405–418 (1993)CrossRefGoogle Scholar
  2. 2.
    Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probablistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Transactions on Systems Man and Cybernetics, Part A (Systems & Humans) 31, 266–274 (2001)CrossRefGoogle Scholar
  3. 3.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  4. 4.
    Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 3, 227–261 (2000)CrossRefGoogle Scholar
  5. 5.
    Sekar, R., Bendre, M., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, pp. 144–155 (2001)Google Scholar
  6. 6.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, pp. 156–168 (2001)Google Scholar
  7. 7.
    Abe, H., Oyama, Y., Oka, M., Kato, K.: Optimization of Intrusion Detection System Based on Static Analyses (in Japanese). IPSJ Transactions on Advanced Computing Systems (2004)Google Scholar
  8. 8.
    Kosoresow, A.P., Hofmeyr, S.A.: A Shape of Self for UNIX Processes. IEEE Software 14, 35–42 (1997)CrossRefGoogle Scholar
  9. 9.
    DuMouchel, W.: Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities. Technical Report TR91, National Institute of Statistical Sciences, NISS (1999)Google Scholar
  10. 10.
    Jha, S., Tan, K.M.C., Maxion, R.A.: Markov Chains, Classifiers and Intrusion Detection. In: Proc. of 14th IEEE Computer Security Foundations Workshop, pp. 206–219 (2001)Google Scholar
  11. 11.
    Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting Intrusions Using System Calls: Alternative Data Models. In: IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
  12. 12.
    Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: Prof. of the International Conference on Dependable Systems and Networks (DSN 2002), pp. 219–228 (2002)Google Scholar
  14. 14.
  15. 15.

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Mizuki Oka
    • 1
  • Yoshihiro Oyama
    • 2
    • 5
  • Hirotake Abe
    • 3
  • Kazuhiko Kato
    • 4
    • 5
  1. 1.Master’s Program in Science and EngineeringUniversity of Tsukuba 
  2. 2.Graduate School of Information Science and TechnologyUniversity of Tokyo 
  3. 3.Doctoral Program in EngineeringUniversity of Tsukuba 
  4. 4.Graduate School of Systems and Information EngineeringUniversity of Tsukuba 
  5. 5.Japan Science and Technology Agency (JST) CREST 

Personalised recommendations