论文信息 - Modelling and solving the intrusion detection problem in computer networks

Modelling and solving the intrusion detection problem in computer networks

We introduce a novel anomaly intrusion detection method based on a Within-Class Dissimilarity, WCD. This approach functions by using an appropriate metric WCD to measure the distance between an unknown user and a known user defined respectively by their profile vectors. First of all, each user performs a set of commands (events) on a given system (Unix for example). The events vector of a given user profile is a binary vector, such that an element of this vector is equal to ''1'' if an event happens, and to ''0'' otherwise. In addition to this, each user's class k has a typical profile defined by the vector P"k, in order to test if a new user i defined by its profile vector P"i belongs to the same class k or not. The P"k vector is a weighted events vector E"k, such that each weight represents the number of occurrences of an event e"k. If the ''distance''d"k"i (measured by a dissimilarity parameter) between an unknown profile P"i and a known profile P"k is reasonable according to a given threshold and to some constraints, then there is no intrusion. Else, the user i is suspicious. A simple example illustrates the WCD procedure. A survey of intrusion detection methods is presented. Our proposed method based on clustering users and using simple statistical formulas is very easy for implementation.

Rachid Beghdad

[1] Eugene H. Spafford,et al. An Application of Pattern Matching in Intrusion Detection , 1994 .

[2] Koral Ilgun,et al. USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[3] Richard A. Kemmerer,et al. State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[4] Hervé Debar,et al. A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5] Phillip A. Porras,et al. STAT -- A State Transition Analysis Tool For Intrusion Detection , 1993 .

[6] Eugene H. Spafford,et al. A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[7] Sandeep Kumar,et al. A Software Architecture to Support Misuse Intrusion Detection , 1995 .

[8] Sandeep Kumar,et al. Classification and detection of computer intrusions , 1996 .

[9] Arthur B. Maccabe,et al. The architecture of a network level intrusion detection system , 1990 .

[10] Dorothy E. Denning,et al. An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.