Issue No.07 - July (2002 vol.51)
<p>Intrusion detection complements prevention mehcanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's \rm T^2 test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's \rm T^2 test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's \rm T^2 test signals all the intrusion sessions and produces no false alarms for the normal sessions. For the large data set, the Hotelling's \rm T^2 test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's \rm T^2 test is also compared with the performance of a more scalable multivariate technique—a chi-squared distance test.</p>
Computer security, intrusion detection, multivariate statistical analysis, chi-square test, and Hotelling's \rm T^2 test.
Nong Ye, Syed Masum Emran, Qiang Chen, Sean Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection", IEEE Transactions on Computers, vol.51, no. 7, pp. 810-820, July 2002, doi:10.1109/TC.2002.1017701