Detecting intrusion with rule-based integration of multiple models

Sang Jun Han, Sung-Bae Cho

Research output: Contribution to journalComment/debate

36 Citations (Scopus)

Abstract

As the information technology grows interests in the intrusion detection system (IDS), which detects unauthorized usage, misuse by a local user and modification of important data, has been raised. In the field of anomaly-based IDS several data mining techniques such as hidden Markov model (HMM), artificial neural network, statistical techniques and expert systems are used to model network packets, system call audit data, etc. However, there are undetectable intrusion types for each measure and modeling method because each intrusion type makes anomalies at individual measure. To overcome this drawback of single-measure anomaly detector, this paper proposes a multiple-measure intrusion detection method. We measure normal behavior by systems calls, resource usage and file access events and build up profiles for normal behavior with hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has significantly low false-positive error rate against various types of intrusion.

Original languageEnglish
Pages (from-to)613-623
Number of pages11
JournalComputers and Security
Volume22
Issue number7
DOIs
Publication statusPublished - 2003 Jan 1

Fingerprint

Intrusion detection
Hidden Markov models
Packet networks
Expert systems
Information technology
Data mining
Statistical methods
knowledge-based system
statistical method
audit
neural network
Detectors
Neural networks
information technology
event
resources

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law

Cite this

@article{aca520a223a14f7abd5614c715edfed0,
title = "Detecting intrusion with rule-based integration of multiple models",
abstract = "As the information technology grows interests in the intrusion detection system (IDS), which detects unauthorized usage, misuse by a local user and modification of important data, has been raised. In the field of anomaly-based IDS several data mining techniques such as hidden Markov model (HMM), artificial neural network, statistical techniques and expert systems are used to model network packets, system call audit data, etc. However, there are undetectable intrusion types for each measure and modeling method because each intrusion type makes anomalies at individual measure. To overcome this drawback of single-measure anomaly detector, this paper proposes a multiple-measure intrusion detection method. We measure normal behavior by systems calls, resource usage and file access events and build up profiles for normal behavior with hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has significantly low false-positive error rate against various types of intrusion.",
author = "Han, {Sang Jun} and Sung-Bae Cho",
year = "2003",
month = "1",
day = "1",
doi = "10.1016/S0167-4048(03)00711-9",
language = "English",
volume = "22",
pages = "613--623",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",
number = "7",

}

Detecting intrusion with rule-based integration of multiple models. / Han, Sang Jun; Cho, Sung-Bae.

In: Computers and Security, Vol. 22, No. 7, 01.01.2003, p. 613-623.

Research output: Contribution to journalComment/debate

TY - JOUR

T1 - Detecting intrusion with rule-based integration of multiple models

AU - Han, Sang Jun

AU - Cho, Sung-Bae

PY - 2003/1/1

Y1 - 2003/1/1

N2 - As the information technology grows interests in the intrusion detection system (IDS), which detects unauthorized usage, misuse by a local user and modification of important data, has been raised. In the field of anomaly-based IDS several data mining techniques such as hidden Markov model (HMM), artificial neural network, statistical techniques and expert systems are used to model network packets, system call audit data, etc. However, there are undetectable intrusion types for each measure and modeling method because each intrusion type makes anomalies at individual measure. To overcome this drawback of single-measure anomaly detector, this paper proposes a multiple-measure intrusion detection method. We measure normal behavior by systems calls, resource usage and file access events and build up profiles for normal behavior with hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has significantly low false-positive error rate against various types of intrusion.

AB - As the information technology grows interests in the intrusion detection system (IDS), which detects unauthorized usage, misuse by a local user and modification of important data, has been raised. In the field of anomaly-based IDS several data mining techniques such as hidden Markov model (HMM), artificial neural network, statistical techniques and expert systems are used to model network packets, system call audit data, etc. However, there are undetectable intrusion types for each measure and modeling method because each intrusion type makes anomalies at individual measure. To overcome this drawback of single-measure anomaly detector, this paper proposes a multiple-measure intrusion detection method. We measure normal behavior by systems calls, resource usage and file access events and build up profiles for normal behavior with hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has significantly low false-positive error rate against various types of intrusion.

UR - http://www.scopus.com/inward/record.url?scp=0242637092&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0242637092&partnerID=8YFLogxK

U2 - 10.1016/S0167-4048(03)00711-9

DO - 10.1016/S0167-4048(03)00711-9

M3 - Comment/debate

AN - SCOPUS:0242637092

VL - 22

SP - 613

EP - 623

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

IS - 7

ER -