This Article 
 Bibliographic References 
 Add to: 
Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection
July 2002 (vol. 51 no. 7)
pp. 810-820

Intrusion detection complements prevention mehcanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's \rm T^2 test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's \rm T^2 test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's \rm T^2 test signals all the intrusion sessions and produces no false alarms for the normal sessions. For the large data set, the Hotelling's \rm T^2 test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's \rm T^2 test is also compared with the performance of a more scalable multivariate technique—a chi-squared distance test.

[1] DARPA Proc. DARPA Information Survivability Conf. and Expo. Los Alamitos, Calif.: IEEE CS, Jan. 2000.
[2] W. Stallings, Network and Inter-Network Security Principles and Practice. Englewood Cliffs, NJ: Prentice Hall, 1995.
[3] R. Lippmann et al., "Evaluating Intrusion Detection Systems: The 1998 DAPA Offline Intrusion Detection Evaluation," Discex 2000, Vol. 2, IEEE Computer Society Press, Los Alamitos, Calif., 2000, pp. 12-26.
[4] C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World, 2nd ed., Prentice-Hall, 2002, p. 237.
[5] H. Debar, M. Dacier, and A. Wespi, “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks, vol. 31, pp. 805-822, 1999.
[6] T. Escamilla, Intrusion Detection: Network Security beyond the Firewall. New York: John Wiley&Sons, 1998.
[7] D.E. Denning, “An Intrusion-Detection Model,” IEEE Trans. Software Eng., vol. 13, pp. 222–232, Feb. 1987.
[8] G. Vigna, M. Eckmann, and R.A. Kemmerer, "The STAT Toolsuite," Proc. DARPA Information Survivability Conf. and Expo. I (DISCEX-I), vol. 2, pp. 46-55.
[9] S. Kumar, “Classification and Detection of Computer Intrusions,” PhD dissertation, Dept. of Computer Science, Purdue Univ., West lafayette, Indiana, 1995.
[10] W. Lee, S. Stolfo, and K. Mok, "Mining in a Data-Flow Environment: Experience in Network Intrusion Detection," Proc. Fifth Int'l Conf. Knowledge Discovery and Data Mining, AAAI Press, Menlo Park, Calif., 1999, pp. 114-124.
[11] D. Anderson, T. Frivold, and A. Valdes, “Next-Generation Intrusion Detection Expert System (NIDES): A Summary,” Technical Report SRI-CSL-97-07, Menlo Park, Calif.: SRI Int'l, May 1995.
[12] P. Neumann and P. Porras, “Experience with EMERALD to Date,” Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, Apr. 1999.
[13] A.K. Ghosh, A. Schwatzbard, and M. Shatz, “Learning Program Behavior Profiles for Intrusion Detection,” Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, Apr. 1999. .
[14] H.S. Javitz and A. Valdes, “The Sri Ides Statistical Anomaly Detector,” Proc. IEEE Computer Society Symp. Security and Privacy, May 1991.
[15] H.S. Javitz and A. Valdes, “The NIDES Statistical Component Description of Justification,” Technical Report A010, Menlo Park, Calif.: SRI Int'l, Mar. 1994.
[16] Y. Jou, F. Gong, C. Sargor, X. Wu, S. Wu, H. Chang, and F. Wang, “Design and Implementation of a Scalable Intrusion Detection System for the Protection of Network Infrastructure,” Proc. DARPA Information Survivability Conf. and Expo., pp. 69-83, 2000.
[17] S. Forrest, S.A. Hofmeyer, and A. Somayaji, “Computer Immunology,” Comm. ACM, vol. 40, no. 10, pp. 88-96, Oct. 1997.
[18] C. Ko, G. Fink, and K. Levitt, “Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-Based Approach,” Proc. 1997 IEEE Symp. Security and Privacy, pp. 134-144, 1997.
[19] Y.-M. Chou, R.L. Mason, and J.C. Young, “Power Comparisons for a Hotelling's$\big. \rm T^2\bigr.$Statistic,” Comm. Statistical Simulation, vol. 28, no. 4, pp. 1031-1050, 1999.
[20] R.A. Johnson and D.W. Wichern,Applied multivariate statistical analysis, Prentice Hall, 1988.
[21] T.P. Ryan, Statistical Methods for Quality Improvement. New York: John Wiley&Sons, 1989.
[22] R.L. Mason, N.D. Tracy, and J.C. Young, “Decomposition of$\big. \rm T^2\bigr.$for Multivariate Control Chart Interpretation,” J. Quality Technology, vol. 27, no. 2, pp. 99-108, Apr. 1995.
[23] R.L. Mason, N.D. Tracy, and J.C. Young, “A Practical Approach for Interpreting Multivariate$\big. \rm T^2\bigr.$Control Chart Signals,” J. Quality Technology, 29, no. 4, pp. 396-406, vol. Oct. 1997.
[24] R.L. Mason and J.C. Young, “Improving the Sensitivity of the$\big. \rm T^2\bigr.$Statistic in Multivariate Process Control,” J. Quality Technology, vol. 31, no. 2, pp. 155-164, Apr. 1999.
[25] B.S. Everitt, “A Monte Carlo Investigation of the Robustness of Hotelling's One- and Two-Sample$\big. \rm T^2\bigr.$Tests,” J. Am. Statistical Assoc., vol. 74, no. 365, pp. 48-51, Mar. 1979.
[26] R.L. Mason, C.W. Champ, N.D. Tracy, S.J. Wierda, and J.C. Young, “Assessment of Multivariate Process Control Techniques,” J. Quality Technology, vol. 29, no. 2, pp. 140-143, Apr. 1997.
[27] N. Ye and Q. Chen, “An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions into Information Systems,” Quality and Reliability Eng. Int'l, vol. 17, no. 2, pp. 105-112, 2001.
[28] B.H. Kantowitz and R.D. Sorkin, Human Factors: Understanding People-System Relationships. New York: John Wiley&Sons, 1983.

Index Terms:
Computer security, intrusion detection, multivariate statistical analysis, chi-square test, and Hotelling's \rm T^2 test.
Nong Ye, Syed Masum Emran, Qiang Chen, Sean Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection," IEEE Transactions on Computers, vol. 51, no. 7, pp. 810-820, July 2002, doi:10.1109/TC.2002.1017701
Usage of this product signifies your acceptance of the Terms of Use.