论文信息 - Foundations of intrusion detection (computer security)

Foundations of intrusion detection (computer security)

Computer use is modeled as a mixture of two stochastic processes, normal and misuse. Intrusion detection is formally defined as identifying those transactions generated by the misuse process. Bounds for detection performance are derived in terms of the ratios of the densities of the processes at the individual transactions. It is shown that any optimal intrusion detection system must rank transaction suspicion consistently with these ratios. Sparsity of data requires that transactions be grouped into equivalence classes that preserve the order of the true ratio ranking and reduce the number of singleton and unobserved transactions. Results are described that demonstrate that in general this 'singleton reduction' problem is NP-hard.<<ETX>>

[1] R. L. Maxwell,et al. A performance evaluation of personnel identity verifiers , 1987 .

[2] Gunar E. Liepins,et al. Intrusion detection: Its role and validation , 1992, Comput. Secur..

[3] Gunar E. Liepins,et al. Detection of anomalous computer session activity , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4] J. Friedman,et al. PROJECTION PURSUIT DENSITY ESTIMATION , 1984 .

[5] I. Good. THE POPULATION FREQUENCIES OF SPECIES AND THE ESTIMATION OF POPULATION PARAMETERS , 1953 .

[6] E. Parzen. On Estimation of a Probability Density Function and Mode , 1962 .

[7] Tomaso A. Poggio,et al. Extensions of a Theory of Networks for Approximation and Learning , 1990, NIPS.

[8] K. Lee,et al. Function approximation with an orthogonal basis net , 1990, 1990 IJCNN International Joint Conference on Neural Networks.

[9] C. Quesenberry,et al. A nonparametric estimate of a multivariate density function , 1965 .