Intrusion detection through learning behavior model

Intrusion detection is the process of identifying user actions that might potentially lead a system from a secured state to a compromised state. Normally, it is observed that the users exhibit regularities in their usage of commands of a system, as they tend to achieve the same (or perhaps similar) objective. The command sequences can therefore be used to characterize the user behavior (ACM SIGMETRICS, Performance Evaluation Review, Texas, USA, 13(2) (1985) 40). Deviations from the characteristic behavior pattern of a user can be used to detect potential intrusions. But, it requires that the user behavior is modeled either on an individual or on a group basis, in such a way that the model captures the essence of the user behavior. In this work reported here, we propose an algorithm for intrusion detection, called Genetic algorithm Based Intrusion Detector (GBID) based on ''learning the individual user behavior''. The user behavior is learnt by using genetic algorithms. Current user behavior can be predicted by genetic algorithms based on the past observed user behavior. The user behavior has been described using a 3-tuple . Value of the 3-tuple is calculated for fixed block size of commands in a user session, called command sample. The 3-tuple value of a command sample in user session are compared with expected non-intrusive behavior 3-tuple value to find intrusions.

[1]  David E. Goldberg,et al.  Genetic Algorithms in Search Optimization and Machine Learning , 1988 .

[2]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[3]  Jeffrey C. Mogul,et al.  Using predictive prefetching to improve World Wide Web latency , 1996, CCRV.

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[5]  Paul Proctor Audit reduction and misuse detection in heterogeneous environments: framework and application , 1994, Tenth Annual Computer Security Applications Conference.

[6]  S. V. Raghavan,et al.  On the classification of interactive user behaviour indices , 1985, SIGMETRICS 1985.

[7]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[8]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[9]  Terran Lane,et al.  An Application of Machine Learning to Anomaly Detection , 1999 .

[10]  Salvatore J. Stolfo,et al.  Automated Intrusion Detection Using NFR: Methods and Experiences , 1999, Workshop on Intrusion Detection and Network Monitoring.

[11]  Salvatore J. Stolfo,et al.  Algorithms for mining system audit data , 2002 .

[12]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[13]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  S. V. Raghavan,et al.  Bandwidth-demand prediction in virtual path in ATM networks using genetic algorithms , 1999, Comput. Commun..

[15]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[16]  S. V. Raghavan,et al.  Intelligent prefetch in WWW using client behavior characterization , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[17]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.

[18]  Brian D. Davison,et al.  Experiments in UNIX Command Prediction , 1997, AAAI/IAAI.