This Article 
 Bibliographic References 
 Add to: 
Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse
September 1993 (vol. 19 no. 9)
pp. 886-901

We model computer transactions as generated by two stationary stochastic processes, the legitimate (normal) process N and the misuse process M. We define misuse (anomaly) detection to be the identification of transactions most likely to have been generated by M. We formally demonstrate that the accuracy of misuse detectors is bounded by a function of the difference of the densities of the processes N and M over the space of transactions. In practice, detection accuracy can be far below this bound, and generally improves with increasing sample size of historical (training) data. Careful selection of transaction attributes also can improve detection accuracy; we suggest several criteria for attribute selection, including adequate sampling rate and separation between models. We demonstrate that exactly optimizing even the simplest of these criteria is NP-hard, thus motivating a heuristic approach. We further differentiate between modeling (density estimation) and nonmodeling approaches.

[1] Y. M. M. Bishop, S. E. Fienberg, and P. W. Holland,Discrete Multivariate Analysis. Cambridge, MA: M.I.T. Press, 1975.
[2] P. Clitherow and R. Herrara, "A connectionist approach to monitoring computer audit trails," Bellcore, Piscataway, NJ, 1989.
[3] D. E. Denning, "An intrusion detection mode,"IEEE Trans. Software Eng., vol SE-13, no. 2, pp. 222-232, 1987.
[4] R. O. Duda and P. E. Hart,Pattern Classification and Scene Analysis. New York: Wiley, 1973.
[5] J. H. Friedman, W. Stuetzle, and A. Schroeder, "Projection pursuit density estimation,"JASA, vol. 79, no. 387, pp. 599-608, 1984.
[6] M. R. Garey and D. S. Johnson,Computers and Intractability. San Francisco, CA: Freeman, 1979.
[7] D. M. Green and J. A. Swets,Signal Detection Theory and Psychophysics. New York: Wiley, 1976.
[8] I. J. Good, "The population frequencies of species and the estimation of population parameters,"Biometrika, vol. 40, parts 3 and 4, pp. 237-264, 1953.
[9] P. Helman, "Rule base design criteria," Technical Report, Los Alamos National Laboratory, Los Alamos, NM, 1990.
[10] H. S. Javitz, and A. Valdes, "The SRI IDES statistical intrusion detector," inProc. IEEE Symp. Research in Security and Privacy, 1990, pp. 316-326.
[11] R. D. Jones, Y. C. Lee, C. W. Barnes, G. W. Flake, K. Lee, P. S. Lewis, and S. Qian, "Function approximation and time series prediction with neural networks," LA-UR-90_21, Los Alamos National Laboratory, 1989.
[12] G. E. Liepins and H. S. Vaccaro (). "Anomaly detection: Purpose and framework," inProc. 12th Nat. Comput. Security Conf., 1989, pp. 495-504.
[13] G. E. Liepins and H. S. Vaccaro (), "Intrusion detection: Its role and validation,"Computers and Security J., 1991.
[14] D. O. Loftsgarden and C. P. Quesenberry, "A nonparametric estimate of a multivariate density function,"Ann. Math. Stat., vol. 36, pp. 1049-1051, 1965.
[15] T. F. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D. L. Edwards, P. G. Neuman, H. S. Javitz, and A. Valdes, "IDES: The enhanced prototype," SRI International, SRI-CSL-88-12, 1988.
[16] E. Parzen, "On estimation of a probability density function and mode,"Ann. Math. Statist., vol. 33, pp. 1065-1076, 1962.
[17] T. Poggio and F. Girosi, "A theory for approximation and learning," AI Memo 1140, MIT, July 1989.
[18] S. Qian, Y. C. Lee, R. D. Joncs, C. W. Barnes, and K. Lee, "Function approximation with orthogonal basis net," LALP-90-04, Los Alamos National Laboratory, Los Alamos, NM, 1990.
[19] H. E. Robbins, "Estimating the total probability of the unobserved outcomes of an experiment,"Ann. Math. Statist., vol. 39, no. 1, pp. 256-257, 1968.
[20] M. M. Sebring, E. W. Shellhouse, M. E. Hann, and R. A. Whitehurst, "Expert systems in intrusion detection," inProc. 11th Nat. Comput. Security Conf., 1988, pp. 74-81.
[21] R. P. Simonian, P. R. Henning, J. H. Reed, and K. L. Fox, "An AI approach toward computer virus detection and removal," Harris Corporation, Government Information Systems Division, Melbourne, FL, 1989.
[22] W. T. Tenner, "Discovery: An expert system in the commercial data security environment," TRW Information Services Division, Orange, CA, 1988.
[23] H. S. Vaccaro and G. E. Liepins, "Detection of anomalous computer session activity," inProc. IEEE Symp. Research in Security and Privacy, 1989, pp. 280-289.

Index Terms:
audit trail analysis; computer misuse; computer transactions; stationary stochastic processes; misuse detectors; detection accuracy; transaction attributes; NP-hard; heuristic approach; density estimation; modeling; statistical foundations; system security; auditing; computer crime; security of data; stochastic processes; transaction processing
P. Helman, G. Liepins, "Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse," IEEE Transactions on Software Engineering, vol. 19, no. 9, pp. 886-901, Sept. 1993, doi:10.1109/32.241771
Usage of this product signifies your acceptance of the Terms of Use.