Issue No. 07 - July (2002 vol. 51)
<p>Intrusion detection complements prevention mehcanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's \rm T^2 test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's \rm T^2 test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's \rm T^2 test signals all the intrusion sessions and produces no false alarms for the normal sessions. For the large data set, the Hotelling's \rm T^2 test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's \rm T^2 test is also compared with the performance of a more scalable multivariate technique—a chi-squared distance test.</p>
Computer security, intrusion detection, multivariate statistical analysis, chi-square test, and Hotelling's \rm T^2 test.
N. Ye, S. M. Emran, Q. Chen and S. Vilbert, "Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection," in IEEE Transactions on Computers, vol. 51, no. , pp. 810-820, 2002.