
This Article  
 
Share  
Bibliographic References  
Add to:  
Digg Furl Spurl Blink Simpy Del.icio.us Y!MyWeb  
Search  
 
ASCII Text  x  
P. Helman, G. Liepins, "Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse," IEEE Transactions on Software Engineering, vol. 19, no. 9, pp. 886901, September, 1993.  
BibTex  x  
@article{ 10.1109/32.241771, author = {P. Helman and G. Liepins}, title = {Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse}, journal ={IEEE Transactions on Software Engineering}, volume = {19}, number = {9}, issn = {00985589}, year = {1993}, pages = {886901}, doi = {http://doi.ieeecomputersociety.org/10.1109/32.241771}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }  
RefWorks Procite/RefMan/Endnote  x  
TY  JOUR JO  IEEE Transactions on Software Engineering TI  Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse IS  9 SN  00985589 SP886 EP901 EPD  886901 A1  P. Helman, A1  G. Liepins, PY  1993 KW  audit trail analysis; computer misuse; computer transactions; stationary stochastic processes; misuse detectors; detection accuracy; transaction attributes; NPhard; heuristic approach; density estimation; modeling; statistical foundations; system security; auditing; computer crime; security of data; stochastic processes; transaction processing VL  19 JA  IEEE Transactions on Software Engineering ER   
We model computer transactions as generated by two stationary stochastic processes, the legitimate (normal) process N and the misuse process M. We define misuse (anomaly) detection to be the identification of transactions most likely to have been generated by M. We formally demonstrate that the accuracy of misuse detectors is bounded by a function of the difference of the densities of the processes N and M over the space of transactions. In practice, detection accuracy can be far below this bound, and generally improves with increasing sample size of historical (training) data. Careful selection of transaction attributes also can improve detection accuracy; we suggest several criteria for attribute selection, including adequate sampling rate and separation between models. We demonstrate that exactly optimizing even the simplest of these criteria is NPhard, thus motivating a heuristic approach. We further differentiate between modeling (density estimation) and nonmodeling approaches.
[1] Y. M. M. Bishop, S. E. Fienberg, and P. W. Holland,Discrete Multivariate Analysis. Cambridge, MA: M.I.T. Press, 1975.
[2] P. Clitherow and R. Herrara, "A connectionist approach to monitoring computer audit trails," Bellcore, Piscataway, NJ, 1989.
[3] D. E. Denning, "An intrusion detection mode,"IEEE Trans. Software Eng., vol SE13, no. 2, pp. 222232, 1987.
[4] R. O. Duda and P. E. Hart,Pattern Classification and Scene Analysis. New York: Wiley, 1973.
[5] J. H. Friedman, W. Stuetzle, and A. Schroeder, "Projection pursuit density estimation,"JASA, vol. 79, no. 387, pp. 599608, 1984.
[6] M. R. Garey and D. S. Johnson,Computers and Intractability. San Francisco, CA: Freeman, 1979.
[7] D. M. Green and J. A. Swets,Signal Detection Theory and Psychophysics. New York: Wiley, 1976.
[8] I. J. Good, "The population frequencies of species and the estimation of population parameters,"Biometrika, vol. 40, parts 3 and 4, pp. 237264, 1953.
[9] P. Helman, "Rule base design criteria," Technical Report, Los Alamos National Laboratory, Los Alamos, NM, 1990.
[10] H. S. Javitz, and A. Valdes, "The SRI IDES statistical intrusion detector," inProc. IEEE Symp. Research in Security and Privacy, 1990, pp. 316326.
[11] R. D. Jones, Y. C. Lee, C. W. Barnes, G. W. Flake, K. Lee, P. S. Lewis, and S. Qian, "Function approximation and time series prediction with neural networks," LAUR90_21, Los Alamos National Laboratory, 1989.
[12] G. E. Liepins and H. S. Vaccaro (). "Anomaly detection: Purpose and framework," inProc. 12th Nat. Comput. Security Conf., 1989, pp. 495504.
[13] G. E. Liepins and H. S. Vaccaro (), "Intrusion detection: Its role and validation,"Computers and Security J., 1991.
[14] D. O. Loftsgarden and C. P. Quesenberry, "A nonparametric estimate of a multivariate density function,"Ann. Math. Stat., vol. 36, pp. 10491051, 1965.
[15] T. F. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D. L. Edwards, P. G. Neuman, H. S. Javitz, and A. Valdes, "IDES: The enhanced prototype," SRI International, SRICSL8812, 1988.
[16] E. Parzen, "On estimation of a probability density function and mode,"Ann. Math. Statist., vol. 33, pp. 10651076, 1962.
[17] T. Poggio and F. Girosi, "A theory for approximation and learning," AI Memo 1140, MIT, July 1989.
[18] S. Qian, Y. C. Lee, R. D. Joncs, C. W. Barnes, and K. Lee, "Function approximation with orthogonal basis net," LALP9004, Los Alamos National Laboratory, Los Alamos, NM, 1990.
[19] H. E. Robbins, "Estimating the total probability of the unobserved outcomes of an experiment,"Ann. Math. Statist., vol. 39, no. 1, pp. 256257, 1968.
[20] M. M. Sebring, E. W. Shellhouse, M. E. Hann, and R. A. Whitehurst, "Expert systems in intrusion detection," inProc. 11th Nat. Comput. Security Conf., 1988, pp. 7481.
[21] R. P. Simonian, P. R. Henning, J. H. Reed, and K. L. Fox, "An AI approach toward computer virus detection and removal," Harris Corporation, Government Information Systems Division, Melbourne, FL, 1989.
[22] W. T. Tenner, "Discovery: An expert system in the commercial data security environment," TRW Information Services Division, Orange, CA, 1988.
[23] H. S. Vaccaro and G. E. Liepins, "Detection of anomalous computer session activity," inProc. IEEE Symp. Research in Security and Privacy, 1989, pp. 280289.