A Behavior Based Approach to Host-Level Intrusion Detection Using Self-Organizing Maps

Neural networks play a vital role in contemporary intrusion detection systems. This paper presents a framework for anomaly based host-level intrusion detection system, using a category of neural networks called self-organizing map (SOM). The proposed work takes a different perspective to intrusion detection by applying data mining techniques to the host-behavior data, to detect intrusions. The behavior of the system is defined in terms of a "behavior set" rather than using a single parameter. This facilitates greater accuracy in describing the behavior of the system and helps in reducing false-positives. The unlabelled data is processed using a SOM, which is trained by an unsupervised learning algorithm namely "simple competitive learning". Unsupervised learning enables the SOM to detect new and novel attacks.

[1]  Salvatore J. Stolfo,et al.  A Geometric Framework for Unsupervised Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[2]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[5]  Mohammed J. Zaki,et al.  ADMIT: anomaly-based data mining for intrusions , 2002, KDD.

[6]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[7]  LiaoYihua Use of K-Nearest Neighbor classifier for intrusion detection11An earlier version of this paper is to appear in the Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, August 2002 , 2002 .

[8]  Salvatore J. Stolfo,et al.  Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses , 2002, RAID.

[9]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[10]  Jerzy W. Rozenblit,et al.  Behavior Analysis-Based Learning Framework for Host Level Intrusion Detection , 2007, 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems (ECBS'07).

[11]  Eleazar Eskin,et al.  A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA , 2002 .

[12]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[13]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.