Detecting Anomalies and Intruders
Brittleness is a well-known problem in expert systems where a conclusion can be made, which human common sense would recognise as impossible e.g. that a male is pregnant. We have extended previous work on prudent expert systems to enable an expert system to recognise when a case is outside its range of experience. We have also used the same technique to detect new patterns of network traffic, suggesting a possible attack. In essence we use Ripple Down Rules to partition a domain, and add new partitions as new situations are identified. Within each supposedly homogeneous partition we use fairly simple statistical techniques to identify anomalous data. The special feature of these statistics is that they are reasonably robust with small amounts of data. This critical situation occurs whenever a new partition is added.
KeywordsFalse Positive Rate Expert System Intrusion Detection Anomaly Detection Intrusion Detection System
Unable to display preview. Download preview PDF.
- 2.Compton, P., Preston, P., Edwards, G., Kang, B.: Knowledge based system that have some idea of their limits. In: Proceedings of the 10th AAAI-Sponsored Banff Knowledge Acquisition for Knowledge-Based Systems Workshop, Banff, Canada (1996)Google Scholar
- 4.Guha, R.V., Lenat, D.: Cyc: A midterm report. AI Magazine (1990)Google Scholar
- 5.Lenat, D.: A brief list of the applications (1994), http://www.cyc.com/cyc/technology/cycandd/brieflist
- 6.Prayote, A., Compton, P.: Knowledge acquisition for anomaly detection. In: Internet Measurement Conference (IMC 2006) (submitted, 2006)Google Scholar