Issue No. 09 - September (1993 vol. 19)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/32.241771
<p>We model computer transactions as generated by two stationary stochastic processes, the legitimate (normal) process N and the misuse process M. We define misuse (anomaly) detection to be the identification of transactions most likely to have been generated by M. We formally demonstrate that the accuracy of misuse detectors is bounded by a function of the difference of the densities of the processes N and M over the space of transactions. In practice, detection accuracy can be far below this bound, and generally improves with increasing sample size of historical (training) data. Careful selection of transaction attributes also can improve detection accuracy; we suggest several criteria for attribute selection, including adequate sampling rate and separation between models. We demonstrate that exactly optimizing even the simplest of these criteria is NP-hard, thus motivating a heuristic approach. We further differentiate between modeling (density estimation) and nonmodeling approaches.</p>
audit trail analysis; computer misuse; computer transactions; stationary stochastic processes; misuse detectors; detection accuracy; transaction attributes; NP-hard; heuristic approach; density estimation; modeling; statistical foundations; system security; auditing; computer crime; security of data; stochastic processes; transaction processing
P. Helman and G. Liepins, "Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse," in IEEE Transactions on Software Engineering, vol. 19, no. , pp. 886-901, 1993.