Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection

Intrusion detection complements prevention mechanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's T/sup 2/ test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's T/sup 2/ test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's T/sup 2/ test signals all the intrusion sessions and produces no false alarms for the normal sessions. For the large data set, the Hotelling's T/sup 2/ test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's T/sup 2/ test is also compared with the performance of a more scalable multivariate technique-a chi-squared distance test.

[1]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[2]  Qiang Chen,et al.  An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems , 2001 .

[3]  Minitab Statistical Methods for Quality Improvement , 2001 .

[4]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Salvatore J. Stolfo,et al.  Mining in a data-flow environment: experience in network intrusion detection , 1999, KDD '99.

[6]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[7]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[8]  Charles W. Champ,et al.  Assessment of Multivariate Process Control Techniques , 1997 .

[9]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[10]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[11]  Giovanni Vigna,et al.  The STAT tool suite , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[12]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[13]  Terry Dwain Escamilla,et al.  Intrusion detection: network security beyond the firewall , 1998 .

[14]  Barry H. Kantowitz,et al.  Human Factors: Understanding People-System Relationships , 1983 .

[15]  Brian Everitt,et al.  A Monte Carlo Investigation of the Robustness of Hotelling's One- and Two-Sample T 2 Tests , 1979 .

[16]  John C. Young,et al.  A Practical Approach for Interpreting Multivariate T2 Control Chart Signals , 1997 .

[17]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[18]  Stephanie Forrest,et al.  Infect Recognize Destroy , 1996 .

[19]  Feiyi Wang,et al.  Design and implementation of a scalable intrusion detection system for the protection of network infrastructure , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[20]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[21]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[22]  Youn Min Chou,et al.  Power comparisons for a hotelling's t2 STATISTIC , 1999 .

[23]  Nola D. Tracy,et al.  Decomposition of T2 for Multivariate Control Chart Interpretation , 1995 .

[24]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[25]  John C. Young,et al.  IMPROVING THE SENSITIVITY OF THE T2 STATISTIC IN MULTIVARIATE PROCESS CONTROL , 1999 .