Detecting intrusion with rule-based integration of multiple models

Sang Jun Han, Sung Bae Cho

Research output: Contribution to journalComment/debate

36 Citations (Scopus)

Abstract

As the information technology grows interests in the intrusion detection system (IDS), which detects unauthorized usage, misuse by a local user and modification of important data, has been raised. In the field of anomaly-based IDS several data mining techniques such as hidden Markov model (HMM), artificial neural network, statistical techniques and expert systems are used to model network packets, system call audit data, etc. However, there are undetectable intrusion types for each measure and modeling method because each intrusion type makes anomalies at individual measure. To overcome this drawback of single-measure anomaly detector, this paper proposes a multiple-measure intrusion detection method. We measure normal behavior by systems calls, resource usage and file access events and build up profiles for normal behavior with hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has significantly low false-positive error rate against various types of intrusion.

Original languageEnglish
Pages (from-to)613-623
Number of pages11
JournalComputers and Security
Volume22
Issue number7
DOIs
Publication statusPublished - 2003 Jan 1

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law

Cite this