Anomaly detection of computer usage using artificial intelligence techniques

Jongho Choy; Sung Bae Cho

doi:10.1007/3-540-45408-x_5

Anomaly detection of computer usage using artificial intelligence techniques

Jongho Choy, Sung Bae Cho

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

Abstract

Intrusion detection systems (IDS) aim to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Attacks against computer systems are still largely successful despite the plenty of intrusion prevention techniques available. This paper presents an IDS based on anomaly detection using several AI techniques. Anomaly detection models normal behaviors and attempts to detect intrusions by noting significant deviations from normal behavior. Raw audit data are preprocessed and reduced into appropriate size and format using Self-Organizing Map (SOM). Different aspects of a sequence of events are modeled by several hidden Markov models (HMMs), and a voting technique combines the models to determine whether current behavior is normal or not. Several experiments are conducted to explore the optimal data reduction and modeling method. For the optimal measures, system call and file access related measures are found useful and overall performance depends on the map size for each measure. Voting technique leads to more reliable detection rate.

Original language	English
Title of host publication	Advances in Artificial Intelligence
Subtitle of host publication	PRICAI 2000 Workshop Reader - Four Workshops held at PRICAI 2000, Revised Papers
Editors	Ryszard Kowalczyk, Seng W. Loke, Nancy E. Reed, Graham Williams
Publisher	Springer Verlag
Pages	31-43
Number of pages	13
ISBN (Print)	3540425977, 9783540454083
DOIs	https://doi.org/10.1007/3-540-45408-x_5
Publication status	Published - 2001
Event	6th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2000 - Melbourne, Australia Duration: 2000 Aug 28 → 2000 Sep 1

Publication series

Name	Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)
Volume	2112
ISSN (Print)	0302-9743

Other

Other	6th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2000
Country/Territory	Australia
City	Melbourne
Period	00/8/28 → 00/9/1

Bibliographical note

Publisher Copyright:
© 2001 Springer-Verlag Berlin Heidelberg.

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/3-540-45408-x_5

Cite this

Choy, J., & Cho, S. B. (2001). Anomaly detection of computer usage using artificial intelligence techniques. In R. Kowalczyk, S. W. Loke, N. E. Reed, & G. Williams (Eds.), Advances in Artificial Intelligence: PRICAI 2000 Workshop Reader - Four Workshops held at PRICAI 2000, Revised Papers (pp. 31-43). (Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science); Vol. 2112). Springer Verlag. https://doi.org/10.1007/3-540-45408-x_5

Choy, Jongho ; Cho, Sung Bae. / Anomaly detection of computer usage using artificial intelligence techniques. Advances in Artificial Intelligence: PRICAI 2000 Workshop Reader - Four Workshops held at PRICAI 2000, Revised Papers. editor / Ryszard Kowalczyk ; Seng W. Loke ; Nancy E. Reed ; Graham Williams. Springer Verlag, 2001. pp. 31-43 (Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)).

@inproceedings{85fa6d93d8194941921867466ece12a1,

title = "Anomaly detection of computer usage using artificial intelligence techniques",

abstract = "Intrusion detection systems (IDS) aim to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Attacks against computer systems are still largely successful despite the plenty of intrusion prevention techniques available. This paper presents an IDS based on anomaly detection using several AI techniques. Anomaly detection models normal behaviors and attempts to detect intrusions by noting significant deviations from normal behavior. Raw audit data are preprocessed and reduced into appropriate size and format using Self-Organizing Map (SOM). Different aspects of a sequence of events are modeled by several hidden Markov models (HMMs), and a voting technique combines the models to determine whether current behavior is normal or not. Several experiments are conducted to explore the optimal data reduction and modeling method. For the optimal measures, system call and file access related measures are found useful and overall performance depends on the map size for each measure. Voting technique leads to more reliable detection rate.",

author = "Jongho Choy and Cho, {Sung Bae}",

note = "Publisher Copyright: {\textcopyright} 2001 Springer-Verlag Berlin Heidelberg.; 6th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2000 ; Conference date: 28-08-2000 Through 01-09-2000",

year = "2001",

doi = "10.1007/3-540-45408-x_5",

language = "English",

isbn = "3540425977",

series = "Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)",

publisher = "Springer Verlag",

pages = "31--43",

editor = "Ryszard Kowalczyk and Loke, {Seng W.} and Reed, {Nancy E.} and Graham Williams",

booktitle = "Advances in Artificial Intelligence",

address = "Germany",

}

Choy, J & Cho, SB 2001, Anomaly detection of computer usage using artificial intelligence techniques. in R Kowalczyk, SW Loke, NE Reed & G Williams (eds), Advances in Artificial Intelligence: PRICAI 2000 Workshop Reader - Four Workshops held at PRICAI 2000, Revised Papers. Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science), vol. 2112, Springer Verlag, pp. 31-43, 6th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2000, Melbourne, Australia, 00/8/28. https://doi.org/10.1007/3-540-45408-x_5

Anomaly detection of computer usage using artificial intelligence techniques. / Choy, Jongho; Cho, Sung Bae.

Advances in Artificial Intelligence: PRICAI 2000 Workshop Reader - Four Workshops held at PRICAI 2000, Revised Papers. ed. / Ryszard Kowalczyk; Seng W. Loke; Nancy E. Reed; Graham Williams. Springer Verlag, 2001. p. 31-43 (Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science); Vol. 2112).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Anomaly detection of computer usage using artificial intelligence techniques

AU - Choy, Jongho

AU - Cho, Sung Bae

PY - 2001

Y1 - 2001

N2 - Intrusion detection systems (IDS) aim to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Attacks against computer systems are still largely successful despite the plenty of intrusion prevention techniques available. This paper presents an IDS based on anomaly detection using several AI techniques. Anomaly detection models normal behaviors and attempts to detect intrusions by noting significant deviations from normal behavior. Raw audit data are preprocessed and reduced into appropriate size and format using Self-Organizing Map (SOM). Different aspects of a sequence of events are modeled by several hidden Markov models (HMMs), and a voting technique combines the models to determine whether current behavior is normal or not. Several experiments are conducted to explore the optimal data reduction and modeling method. For the optimal measures, system call and file access related measures are found useful and overall performance depends on the map size for each measure. Voting technique leads to more reliable detection rate.

AB - Intrusion detection systems (IDS) aim to detect attacks against computer systems by monitoring the behavior of users, networks, or computer systems. Attacks against computer systems are still largely successful despite the plenty of intrusion prevention techniques available. This paper presents an IDS based on anomaly detection using several AI techniques. Anomaly detection models normal behaviors and attempts to detect intrusions by noting significant deviations from normal behavior. Raw audit data are preprocessed and reduced into appropriate size and format using Self-Organizing Map (SOM). Different aspects of a sequence of events are modeled by several hidden Markov models (HMMs), and a voting technique combines the models to determine whether current behavior is normal or not. Several experiments are conducted to explore the optimal data reduction and modeling method. For the optimal measures, system call and file access related measures are found useful and overall performance depends on the map size for each measure. Voting technique leads to more reliable detection rate.

UR - http://www.scopus.com/inward/record.url?scp=72149106875&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=72149106875&partnerID=8YFLogxK

U2 - 10.1007/3-540-45408-x_5

DO - 10.1007/3-540-45408-x_5

M3 - Conference contribution

AN - SCOPUS:72149106875

SN - 3540425977

SN - 9783540454083

T3 - Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)

SP - 31

EP - 43

BT - Advances in Artificial Intelligence

A2 - Kowalczyk, Ryszard

A2 - Loke, Seng W.

A2 - Reed, Nancy E.

A2 - Williams, Graham

PB - Springer Verlag

T2 - 6th Pacific Rim International Conference on Artificial Intelligence, PRICAI 2000

Y2 - 28 August 2000 through 1 September 2000

ER -

Choy J, Cho SB. Anomaly detection of computer usage using artificial intelligence techniques. In Kowalczyk R, Loke SW, Reed NE, Williams G, editors, Advances in Artificial Intelligence: PRICAI 2000 Workshop Reader - Four Workshops held at PRICAI 2000, Revised Papers. Springer Verlag. 2001. p. 31-43. (Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science)). https://doi.org/10.1007/3-540-45408-x_5

Anomaly detection of computer usage using artificial intelligence techniques

Abstract

Publication series

Other

Bibliographical note

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this