Abstract
Anomaly detection is a promising approach to detecting intruders masquerading as valid users (called masqueraders). It creates a user profile and labels any behavior that deviates from the profile as anomalous. In anomaly detection, a challenging task is modeling a user’s dynamic behavior based on sequential data collected from computer systems. In this paper, we propose a novel method, called Eigen co-occurrence matrix (ECM), that models sequences such as UNIX commands and extracts their principal features. We applied the ECM method to a masquerade detection experiment with data from Schonlau et al. We report the results and compare them with results obtained from several conventional methods.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lunt, T.F.: A survey of intrusion detection techniques. Computers and Security 12, 405–418 (1993)
Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probablistic Techniques for Intrusion Detection Based on Computer Audit Data. IEEE Transactions on Systems Man and Cybernetics, Part A (Systems & Humans) 31, 266–274 (2001)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)
Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security (TISSEC) 3, 227–261 (2000)
Sekar, R., Bendre, M., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, pp. 144–155 (2001)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, pp. 156–168 (2001)
Abe, H., Oyama, Y., Oka, M., Kato, K.: Optimization of Intrusion Detection System Based on Static Analyses (in Japanese). IPSJ Transactions on Advanced Computing Systems (2004)
Kosoresow, A.P., Hofmeyr, S.A.: A Shape of Self for UNIX Processes. IEEE Software 14, 35–42 (1997)
DuMouchel, W.: Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities. Technical Report TR91, National Institute of Statistical Sciences, NISS (1999)
Jha, S., Tan, K.M.C., Maxion, R.A.: Markov Chains, Classifiers and Intrusion Detection. In: Proc. of 14th IEEE Computer Security Foundations Workshop, pp. 206–219 (2001)
Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting Intrusions Using System Calls: Alternative Data Models. In: IEEE Symposium on Security and Privacy, pp. 133–145 (1999)
Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)
Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: Prof. of the International Conference on Dependable Systems and Networks (DSN 2002), pp. 219–228 (2002)
(Java), http://java.sun.com/
(Matlab), http://www.mathworks.com/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Oka, M., Oyama, Y., Abe, H., Kato, K. (2004). Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive