A Fast Host-Based Intrusion Detection System Using Rough Set Theory

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3700)


Intrusion Detection system has become the main research focus in the area of information security. Last few years have witnessed a large variety of technique and model to provide increasingly efficient intrusion detection solutions. We advocate here that the intrusive behavior of a process is highly localized characteristics of the process. There are certain smaller episodes in a process that make the process intrusive in an otherwise normal stream. As a result it is unnecessary and most often misleading to consider the whole process in totality and to attempt to characterize its abnormal features. In the present work we establish that subsequences of reasonably small length of sequence of system calls would suffice to identify abnormality in a process. We make use of rough set theory to demonstrate this concept. Rough set theory also facilitates identifying rules for intrusion detection. The main contributions of the paper are the following- (a) It is established that very small subsequence of system call is sufficient to identify intrusive behavior with high accuracy. We demonstrate our result using DARPA’98 BSM data; (b) A rough set based system is developed that can extract rules for intrusion detection; (c) An algorithm is presented that can determine the status of a process as either normal or abnormal on-line.


Data mining Decision Table Rough Set Intrusion Detection Anomaly Misuse 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    An, A., Huang, Y., Huang, X., Cercone, N.J.: Feature selection with rough sets for web page classification. In: Peters, J.F., Skowron, A., Dubois, D., Grzymała-Busse, J.W., Inuiguchi, M., Polkowski, L. (eds.) Transactions on Rough Sets II. LNCS, vol. 3135, pp. 1–13. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Bace, R., Mell, P.: NIST special publication on intrusion detection system. SP800-31, NIST, Gaithersburg, MD (2001)Google Scholar
  3. 3.
    Bazan, J.: A Comparison of Dynamic and non-Dynamic Rough Set Methods for Extracting Laws from Decision Tables. In: Skowron, A., Polkowski, L. (eds.) Rough Sets in Knowledge Discovery, vol. 1, pp. 321–365. Physica, Heidelberg (1998)Google Scholar
  4. 4.
    Bazan, J., Nguyen, H.S., Nguyen, S.H., Synak, P., Wróblewski, J.: Rough set algorithms in classification problem. In: Polkowski, L., Tsumoto, S., Lin, T.Y. (eds.) Rough Set Methods and Applications, pp. 49–88. Physica, Heidelberg (2000)Google Scholar
  5. 5.
    Bazan, J.G., Szczuka, M.S., Wróblewski, J.: A new version of rough set exploration system. In: Alpigini, J.J., Peters, J.F., Skowron, A., Zhong, N. (eds.) RSCTC 2002. LNCS (LNAI), vol. 2475, pp. 397–404. Springer, Heidelberg (2002), Available at,
  6. 6.
    Cabrera, J.B.D., Ravichandran, B., Mehra, R.K.: Detection and classification of intrusions and faults using sequences of system calls. In: ACM SIGMOD Record, Special Issue: Special Section on Data Mining for Intrusion Detection and treat Analysis, vol. 30(4), pp. 25–34 (2001)Google Scholar
  7. 7.
    Cai, Z., Guan, X., Shao, P., Peng, Q., Sun, G.: A Rough Set Theory Based Method for Anomaly intrusion Detection in Computer Network Systems. J. Expert System 20(5), 251–259 (2003)CrossRefGoogle Scholar
  8. 8.
    Cios, K., Pedrycz, W., Swiniarski Roman, W.: Data mining methods for Knowledge discovery. Kluwer Academic Publisher, USA (2000)Google Scholar
  9. 9.
    DARPA 1998 Data Set, MIT Lincoln Laboratory (1998), available at,
  10. 10.
    Delic, D., Lenz H.-J., Neiling, M.: Improving the Quality of Association Rule Mining by Means of Rough Sets. In: Proceedings of the First International Workshop on Soft Methods in Probability and Statistics (SMPS 2002), Warsaw, Poland (2002)Google Scholar
  11. 11.
    Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer Immunology. Communications of the ACM 40(10), 88–96 (1997)CrossRefGoogle Scholar
  12. 12.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, pp. 120–128. IEEE Computer Society Press, Los Alamitos (1996)Google Scholar
  13. 13.
    Garvey, T., Lunt, T.F.: Model-based Intrusion Detection. In: Proceedings of the 14th National Computer Security Conference, pp. 372–385 (1991)Google Scholar
  14. 14.
    Grzymala-Busse, J.W.: A New Version of the Rule Induction System LERS. Fundamenta Informaticae 31(1), 27–39 (1997)zbMATHMathSciNetGoogle Scholar
  15. 15.
    Guan, J.W., Bell, D.A., Liu, D.Y.: The Rough Set Approach to Association Rule Mining. In: Proceedings of the Third IEEE International Conference on Data Mining, ICDM 2003 (2003)Google Scholar
  16. 16.
    Helman, P., Liepins, G.: Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse. IEEE Transactions on Software Engineering 19(9), 886–901 (1993)CrossRefGoogle Scholar
  17. 17.
    Hofmeyr, S.A., Forrest, A., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  18. 18.
    Ilgun, K.: USTAT: A Real-Time Intrusion Detection System for UNIX. In: Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pp. 16–28 (1993)Google Scholar
  19. 19.
    Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)CrossRefGoogle Scholar
  20. 20.
    Kemmerer, R.A.: NSTAT: A Model-based Real-time Network Intrusion Detection System. Technical Report, Number TRCS97-18, Computer Science, University of California, Santa Barbara (1998)Google Scholar
  21. 21.
    Kumar, S., Spafford, E.: A Pattern-Matching Model for Intrusion Detection. In: Proceedings National Computer Security Conference, pp. 11–21 (1994)Google Scholar
  22. 22.
    Lee, W., Stolfo, S., Chan, P.: Learning Patterns from Unix Process Execution Traces for Intrusion Detection. In: Proceedings of the AAAI 1997 workshop on AI methods in Fraud and risk management, pp. 50–56. AAAI Press, Menlo Park (1997)Google Scholar
  23. 23.
    Lee, W., Stolfo Salvatore, J.: Data Mining Approaches for Intrusion Detection. In: Proceedings of the 7th USENIX Security Symposium (SECURITY 1998), Usenix Association, January 26-29, pp. 79–94 (1998)Google Scholar
  24. 24.
    Lian-hua, Z., Guan-hua, Z., Yu, L., Jie, Z., Ying-cai, B.: Intrusion Detection Using Rough Set Classification. Journal of Zhejiang University SCIENCE 5(9), 1076–1086 (2004)CrossRefGoogle Scholar
  25. 25.
    Lin, T.Y.: Anomaly Detection: A Soft Computing Approach. In: Proceedings of the 1994 Workshop on New Security Paradigms, Little Compton, Rhode Island, United States, pp. 44–53. IEEE Computer Society Press, Los Alamitos (1994)CrossRefGoogle Scholar
  26. 26.
    Lingras, P.: Rough Set Clustering for Web Mining. In: Proceedings of the IEEE International Conference on Fuzzy Systems 2002, Honolulu, Hawaii (2002)Google Scholar
  27. 27.
    Lunt, T.F.: Using Statistics to Track Intruders. In: Proceedings of the Joint Statistical Meetings of the American Statistical Association (1990)Google Scholar
  28. 28.
    Lunt, T.F., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P.G., Javitz, H.S., Valdes, A., Garvey, T.D.: A Real-Time Intrusion Detection Expert System (IDES) Technical Report, SRI Computer Science Laboratory (1992)Google Scholar
  29. 29.
    Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network Intrusion Detection. IEEE Network 8(3), 26–41 (1994)CrossRefGoogle Scholar
  30. 30.
    Mukkamala, R., Gagnon, J., Jajodia, S.: Integrating Data Mining Techniques with Intrusion detection Methods. In: Research Advances in database and Information System Security: IFIPTCII, 13th working conference on Database security. Kluwer Academic Publishers, USA (2000)Google Scholar
  31. 31.
    Pawlak, Z.: Rough sets: Theoretical aspects of reasoning about data. Kluwer Academic Publishers, Dordrecht (1991)zbMATHGoogle Scholar
  32. 32.
    Porras, P.A.: STAT – A State Transition Analysis Tool For Intrusion Detection. Technical Report, Number TRCS93-25, Computer Science. University of California, Santa Barbara (1993)Google Scholar
  33. 33.
    Rawat, S., Gulati, V.P., Pujari, A.K.: Frequecy And Ordering Based Similarity Measure For Host Based Intrusion Detection. J. Information Management and Computer Security 12(5), 411–421 (2004)CrossRefGoogle Scholar
  34. 34.
    Sebring, M.M., Shellhouse, E., Hanna, M.E., Whitehurst, R.A.: Expert System in Intrusion Detection: A Case Study. In: Proceedings of the 11th National Computer Security Conference, pp. 74–81 (1988)Google Scholar
  35. 35.
    Stefanowski, J.: On Rough Set Based Approaches to Induction of Decision Rules. In: Polkowski, L., Skowron, A. (eds.) Rough Sets in Data Mining and Knowledge Discovery, vol. 1, pp. 500–529. Physica, Heidelberg (1998)Google Scholar
  36. 36.
    Tandon, G., Chan, P.: Learning Rules from System Calls Arguments and Sequences for Anomaly Detection. In: ICDM Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL, pp. 20–29 (2003)Google Scholar
  37. 37.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Modelss. In: IEEE Symposium on Security and Privacy (1999)Google Scholar
  38. 38.
    Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110–129. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  39. 39.
    Zhu, D., Premkumar, G., Zhang, X., Chao-Hsien, C.: Data mining for Network Intrusion Detection: A comparison of alternative methods. J. Decision Sciences 32(4), 635–660 (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  1. 1.AI Lab, Dept. of Computer and Information SciencesUniversity of HyderabadHyderabadIndia
  2. 2.IDRBTHyderabadIndia

Personalised recommendations