Signature-Based Approach for Intrusion Detection

  • Bon K. Sy
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3587)


This research presents a data mining technique for discovering masquerader intrusion. User/system access data are used as a basis for deriving statistically significant event patterns. These patterns could be considered as a user/system access signature. Signature-based approach employs a model discovery technique to derive a reference ground model accounting for the user/system access data. A unique characteristic of this reference ground model is that it captures the statistical characteristics of the access signature, thus providing a basis for reasoning the existence of a security intrusion based on comparing real time access signature with that embedded in the reference ground model. The effectiveness of this approach will be evaluated based on comparative performance using a publicly available data set that contains user masquerade.


Receiver Operating Characteristic Receiver Operating Characteristic Curve Intrusion Detection Event Pattern Association Pattern 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kumar, S.: Classification and Detection of Computer Intrusions, Ph.D. thesis, Purdue University (August 1995)Google Scholar
  2. 2.
    Lee, W., Srolfo, S.: Data Mining Approaches for Intrusion Detection. In: Proc. of the 7th USENIX Security Symposium, San Antonio, Texas (January 1998)Google Scholar
  3. 3.
    etrust Audit: Policy Management Guide 1.5. Computer Associates (2003)Google Scholar
  4. 4.
    Sun Microsystems. SunShield Basic Security Module GuideGoogle Scholar
  5. 5.
    Frank, J.: Artificial Intelligence and Intrusion Detection: Current and Future Directions, June 9 (1994)Google Scholar
  6. 6.
    Ju, W.-H., Vardi, Y.: A Hybrid High-order Markov Chain Model for Computer Intrusion Detection. J. of Computational & Graphical Statistics 10(2) (2001)Google Scholar
  7. 7.
    Schonlau, M., Dumouchel, W., Ju, W.-H., Karr, A.F., Theus, M., Vardi, Y.: Computer Intrusion: Detecting Masquerades. Statistical Science 16(1), 58–74 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Agrawal, R., Imielinski, T., Swami, A.: Mining Association Rules between Sets of Items in large Databases. In: Proc. ACM SIGMOD Conf., Washington DC (May 1993)Google Scholar
  9. 9.
    Sy, B.: Discovering Association Patterns based on Mutual Information. In: Perner, P., Rosenfeld, A. (eds.) MLDM 2003. LNCS (LNAI), vol. 2734. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Sy, B., Gupta, A.: Information-statistical Data Mining: Warehouse Integration with Examples of Oracle Basics (2004) ISBN 1-4020-7650-9Google Scholar
  11. 11.
  12. 12.
    Fawcett, T.: ROC Graphs: Notes and Practical Considerations for Data Mining Researchers. Technical Report HPL-2003-4, Intelligent Enterprise Technologies Laboratory, HP Laboratories Palo Alto, January 7 (2003)Google Scholar
  13. 13.
    Eskin, E.: Anomaly Detection over Noisy Data Using Learned Probability Distributions. In: Proc. of the 17th International Conference on Machine Learning, pp. 255–262. Morgan Kaufmann, San Francisco (2000)Google Scholar
  14. 14.
    Esponda, F., Forrest, S., Helman, P.: A Formal Framework for Positive and Negative Detection. IEEE Transactions on Systems, Man and Cybernetics 34(1), 357–373 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Bon K. Sy
    • 1
  1. 1.Computer Science Department, FlushingQueens College/CUNYNYU.S.A

Personalised recommendations