An Intrusion-Detection Model
07 Apr 1986-pp 118-118
TL;DR: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described, based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage.
Abstract: A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.
Citations
More filters
07 Aug 2002
TL;DR: Using a set of benchmark data from a KDD (knowledge discovery and data mining) competition designed by DARPA, it is demonstrated that efficient and accurate classifiers can be built to detect intrusions.
Abstract: Information security is an issue of serious global concern. The complexity, accessibility, and openness of the Internet have served to increase the security risk of information systems tremendously. This paper concerns intrusion detection. We describe approaches to intrusion detection using neural networks and support vector machines. The key ideas are to discover useful patterns or features that describe user behavior on a system, and use the set of relevant features to build classifiers that can recognize anomalies and known intrusions, hopefully in real time. Using a set of benchmark data from a KDD (knowledge discovery and data mining) competition designed by DARPA, we demonstrate that efficient and accurate classifiers can be built to detect intrusions. We compare the performance of neural networks based, and support vector machine based, systems for intrusion detection.
779 citations
07 Dec 1998
TL;DR: This paper reviews the architecture for a distributed intrusion detection system based on multiple independent entities working collectively, and calls these entities autonomous agents, which solves some of the problems previously mentioned.
Abstract: The intrusion detection system architectures commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. The most common shortcoming in the existing architectures is that they are built around a single monolithic entity that does most of the data collection and processing. In this paper, we review our architecture for a distributed intrusion detection system based on multiple independent entities working collectively. We call these entities autonomous agents. This approach solves some of the problems previously mentioned. We present the motivation and description of the approach, partial results obtained from an early prototype, a discussion of design and implementation issues, and directions for future work.
590 citations
Cites background from "An Intrusion-Detection Model"
...This is the type of intrusion detection described in [5]....
[...]
Proceedings Article•
01 Jan 2003TL;DR: A novel scheme that uses robust principal component classifier in intrusion detection problems where the training data may be unsupervised and outperforms the nearest neighbor method, density-based local outliers (LOF) approach, and the outlier detection algorithm based on Canberra metric is proposed.
Abstract: : This paper proposes a novel scheme that uses robust principal component classifier in intrusion detection problems where the training data may be unsupervised Assuming that anomalies can be treated as outliers, an intrusion predictive model is constructed from the major and minor principal components of the normal instances A measure of the difference of an anomaly from the normal instance is the distance in the principal component space The distance based on the major components that account for 50% of the total variation and the minor components whose eigenvalues less than 020 is shown to work well The experiments with KDD Cup 1999 data demonstrate that the proposed method achieves 9894% in recall and 9789% in precision with the false alarm rate 092% and outperforms the nearest neighbor method, density-based local outliers (LOF) approach, and the outlier detection algorithm based on Canberra metric
574 citations
01 Jun 2006
TL;DR: This work states that the U. S. Department of Defense has a goal of information dominance to achieve and exploit superior collection, fusion, analysis, and use of information to meet mission objectives, and these systems will push far beyond the size of today s systems and systems of systems by every measure.
Abstract: : The U. S. Department of Defense (DoD) has a goal of information dominance to achieve and exploit superior collection, fusion, analysis, and use of information to meet mission objectives. This goal depends on increasingly complex systems characterized by thousands of platforms, sensors, decision nodes, weapons, and warfighters connected through heterogeneous wired and wireless networks. These systems will push far beyond the size of today s systems and systems of systems by every measure: number of lines of code; number of people employing the system for different purposes; amount of data stored, accessed, manipulated, and refined; number of connections and interdependencies among software components; and number of hardware elements. They will be ultra-largescale (ULS) systems. The sheer scale of ULS systems will change everything. ULS systems will necessarily be decentralized in a variety of ways, developed and used by a wide variety of stakeholders with conflicting needs, evolving continuously, and constructed from heterogeneous parts. People will not just be users of a ULS system; they will be elements of the system. Software and hardware failures will be the norm rather than the exception. The acquisition of a ULS system will be simultaneous with its operation and will require new methods for control. These characteristics are beginning to emerge in today s DoD systems of systems; in ULS systems they will dominate. Consequently, ULS systems will place unprecedented demands on software acquisition, production, deployment, management, documentation, usage, and evolution practices.
548 citations
01 Jul 1991
TL;DR: A study of distributed adversarial model of computation in which faults are non-stationary and can move through the net work, analogous to a spread of a virus or a worm is initiated.
Abstract: We initiate a study of distributed adversarial model of computation in which faults are non-stationary and can move through the net work, analogous to a spread of a virus or a worm. We show how local computations (at each processor) and global computations can be polynomial factor-redundancy in the
496 citations