Information Technology Reference
In-Depth Information
size and denoted as
k
. A detector window size that is smaller than the length of
the process would cause the detector to parse one process into many sequences
resulting in a low anomaly signal. At the same time, a detector window size that
is larger than the process would cause the detector to see only the one process
sequences in the given instance resulting in a fair anomaly detection.
In the experiments, we varied
k
s
value from 5 to 30, most of the processes
contained a number of system calls less than 30. Compared to the processes
sequences, these values cover the possibilities of being equal, less, or greater
than processes length. Precisely, this choice describes how does the value of
k
affect the performance of the classifier. Figure 7 shows the ROC curves for three
different
k
values. For this particular training and testing data set,
k
=15is
the best choice, with this value, the detection rate reaches 100% faster and at
low false positive rate compared with the other two
k
s
values. For
k
= 15,
the classifier algorithm can detect out of 10 anomalous sessions only 3 sessions
with zero false positive rate. Reducing the similarity threshold leads to higher
detection rate, but, this reduction has some cost in that the false positive rate
becomes higher. For
k
= 15, and at threshold 0.81, the detection rate reaches
100% with false positive rate 0.6% (only 48 false positive detection out of 7798
normal sessions included in the training data set).
4Conluon
A new classifier has been proposed, it's built based on different treatments of
patterns extraction. This type of classification is used for forming attacks sig-
natures and to detect anomalous behavior. The experiments with DARPA data
set have shown that the proposed algorithm can detect the intrusive behaviour
effectively. The experiments indicate that the patterns that we obtained are dif-
ferent from the command patterns. They are new patterns, can describe attacks
more accurately, detect the attacks whose features appear only once, and offer
a new idea for the research of intrusion detection. Also, we found that contin-
uous sequences reflect a clean occurred sequences, while discontinuous patterns
represent the sequences mixed with undesirable noisy data.
References
1. The survey is available at: www.csoonline.com/releases/ecrimewatch04.pdf
2. Kumar, S., Spafford, E.H.: A Software Architecture to Support Misuse Intru-
sion Detection. Proceedings of the 18th National Information Security Conference
(1995) 194-204
3. Forrest, S., Hofmeyr, S.A., Somayaji, A., Logstaff, T.A.: A Sense of Self for Unix
process, Proceedings of 1996 IEEE Symposium on Computer Security and Privacy
(1996) 120-128
4. Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based
Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3)
(1995) 181-199
