Intrusion Detection through Behavioral Data

  • Daniele Gunetti
  • Giancarlo Ruffo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1642)


We present an approach to the problem of detecting intrusions in computer systems through the use behavioral data produced by users during their normal login sessions. In fact, attacks may be detected by observing abnormal behavior, and the technique we use consists in associating to each system user a classifier made with relational decision trees that will label login sessions as “legals” or as “intrusions”. We perform an experimentation for 10 users, based on their normal work, gathered during a period of three months.We obtain a correct user recognition of 90%, using an independent test set. The test set consists of new, previously unseen sessions for the users considered during training, as well as sessions from users not available during the training phase. The obtained performance is comparable with previous studies, but (1) we do not use information that may effect user privacy and (2) we do not bother the users with questions.


Decision Tree Intrusion Detection Intrusion Detection System Inductive Logic Programming Legal User 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    F. Bergadano and G. Ruffo. ReliC: a Relational Learner Using Decision Trees. Technical Report, Dept. of CS, University of Turin, 1998.Google Scholar
  2. [2]
    F. Bergadano, B. Crispo, and G. Ruffo. High Dictionary Compression for Proactive Password Checking. In ACM Transactions on Information and System Security, 1(1), 1998.Google Scholar
  3. [3]
    F. Bergadano and D. Gunetti. Inductive Logic Programming: from Machine Learning to Software Engineering. MIT Press, 1996.Google Scholar
  4. [4]
    H. Blockeel and L. De Raedt. Lookahead and Discretization in ILP. In Proceedings of the 7th International Workshop on Inductive Learning Programming, Springer Verlag, 1997.Google Scholar
  5. [5]
    M. Brown and J. Rogers. User identification via keystroke characteristics of typed names using neural networks. Int. J. of Man Machine Studies, 39:999–1014, 1993.CrossRefGoogle Scholar
  6. [6]
    M. Crosbie. Applying genetic programming to intrusion detection. In Proceedings of AAAI Fall Symposium on Genetic Programming, 1995.Google Scholar
  7. [7]
    J. Frank. Artificial Intelligence and Intrusion Detections: current and future directions. In Proceedings of 17th National Computer Security Conference, 1994.Google Scholar
  8. [8]
    S. Furnell, P. W. Sanders, and C. T. Stockel. The use of keystroke analysis for continuous user identity verification and supervision. MediaComm, 1995.Google Scholar
  9. [9]
    A. P. Kosoresow and S. A. Hofmeyr. Intrusion Detection via System Call Traces. IEEE Software, pages 35–42, 1997.Google Scholar
  10. [10]
    W. Lee and S. J. Stolfo. Data Mining Approaches to Intrusion Detection. In Proceedings of 7th Usenix Security Symposium, 1998.Google Scholar
  11. [11]
    J. Leggett, G. Williams, and M. Usnick. Dynamic identity verification via keystroke characteristics. Int. J. of Man Machine Studies, 35:859–870, 1991.CrossRefGoogle Scholar
  12. [12]
    F. Monrose and A. Rubin. Authentication via Keystroke Dynamics. In Proceedings od ACM Computer and Communication Security Conference, pages 48–56, 1997.Google Scholar
  13. [13]
    P. A. Porras and P. G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 1997 National Information Systems Security Conference, 1997.Google Scholar
  14. [14]
    J. R. Quinlan. Induction of Decision Trees. Machine Learning, 1:81–106, 1986.Google Scholar
  15. [15]
    J. R. Quinlan. C4.5: Programs for Machine Learning. Morgan Kaufmann, San Mateo, CA, 1993.Google Scholar
  16. [16]
    S. P. Shieh and V. D. Gligor. On a Pattern-Oriented Model for Intrusion Detection. IEEE Trans. on KDE, 9(4):661–667, 1997.Google Scholar
  17. [17]
    M. Sobirey, B. Richter, and H. Konig. The intrusion detection system AID. architecture, and experiences in automated audit analysis. In Proceedings of IFIP TC6/TC11 International Conference on Communications and Multimedia Security, pages 278–290, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Daniele Gunetti
    • 1
  • Giancarlo Ruffo
    • 1
  1. 1.Dept. of Computer ScienceUniversity of TorinoTorinoItaly

Personalised recommendations