Intrusion detection using principal component analysis

We introduce a novel anomaly intrusion detection method based on Principal Component Analysis. This approach functions by projecting users’ profiles onto a feature space that spans the significant variations among known user profiles. The significant features are known as eigenprofiles because they are the eigenvectors (principal components) of the set of user profiles. The projection operation characterizes a user profile by a weighted sum of the eigenprofile features, so as to detect whether a user profile is anomalous, it is sufficient to compare its weights to those of known user profiles. Some advantages of this new approach are that: (i) it provides for the ability to learn and later determine whether a new profile does or does not correspond to those of known users, (ii) its implementation is very easy in any system having the audit mechanism, and (iii) it is robust and provides high rates of detection in a short time. We first derive some computational feasible formula to find eigenprofiles, and then we describe the intrusion detection algorithm based on these eigenprofiles. Our first experimentations are based on some simulated unix users and then we have used real users’ profiles where each profile describes the number of different web pages visited by the corresponding user. The experimental results using this algorithm are very interesting in both cases, simulated and real behaviors.

[1]  H. Hotelling Analysis of a complex of statistical variables into principal components. , 1933 .

[2]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Rangaswamy Jagannathan,et al.  SYSTEM DESIGN DOCUMENT: NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES) , 1993 .

[4]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[5]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[6]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[7]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[8]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Jiawei Han,et al.  Discovering Web access patterns and trends by applying OLAP and data mining technology on Web logs , 1998, Proceedings IEEE International Forum on Research and Technology Advances in Digital Libraries -ADL'98-.

[10]  Ludovic Mé Audit de sécurité par algorithme génétique , 1994 .

[11]  Naji Habra,et al.  ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis , 1992, ESORICS.

[12]  Gunar E. Liepins,et al.  Detection of anomalous computer session activity , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.