Information Technology Reference
In-Depth Information
Hybrid Intrusion Detection Model Based on
Ordered Sequences
Abdulrahman Alharby and Hideki Imai
Institute of industrial Science, The university of Tokyo,
4-6-1, Komaba, Meguro-ku, Tokyo, 153-8505 Japan
alharby@imailab.iis.u-tokyo.ac.jp
imai@iis.u-tokyo.ac.jp
Abstract.
An algorithm for designing hybrid intrusion detection sys-
tem based on behavior analysis technique is proposed. This system can
be used to generate attack signatures and to detect anomalous behavior.
The approach can distinguish the order of attack behavior, and over-
come the limitation of the methods based on mismatch or frequencies,
which performs statistical analysis against attack behavior with asso-
ciation rules or frequent episode algorithms. The preprocessed data of
the algorithm are the connection records extracted from DARPA's tcp-
dump data. The algorithm complexity is analyzed against a very known
algorithm, and its complexity is decreased greatly. Using the proposed
algorithm with transactions of known attacks, we found out that our
algorithm describes attacks more accurately, and it can detect those at-
tacks of limited number of transactions. Thus, any important sequence is
considered and discovered, even if it's a single sequence because the ex-
traction will cover all possible sequences combinations within the attack
transactions. Four types of attacks are examined to cover all DARPA
attack categories.
Keywords:
intrusion detection, continuous pattern, discontinuous pat-
tern, data mining.
1
Introduction
Over the past decade, the number as well as the severity of computer attacks
has significantly increased. CSO magazine conducted a survey on the 2004 cy-
ber crimes, the survey shows a significant increase in reported electronic crimes.
Compared to the previous year, more than 40% of intrusions and electronic
crimes are reported. Also, 70% of the respondents reported at least one elec-
tronic crime or intrusion was committed against their organization [1]. According
to collected statistics, electronic crimes have an incredible impact on economy.
Reports say that electronic crimes have cost more that $600 million in 2003.
IDSs are considered as powerful security tools in computer systems environ-
ments. These systems collect activities within the protected network and analyze
them in order to detect intrusions. System activities are usually collected from
