Article

Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage

Authors:

Jude Shavlik,

Mark ShavlikAuthors Info & Claims

KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining

Pages 276 - 285

https://doi.org/10.1145/1014052.1014084

Published: 22 August 2004 Publication History

Get Access

Abstract

We present and empirically analyze a machine-learning approach for detecting intrusions on individual computers. Our Winnow-based algorithm continually monitors user and system behavior, recording such properties as the number of bytes transferred over the last 10 seconds, the programs that currently are running, and the load on the CPU. In all, hundreds of measurements are made and analyzed each second. Using this data, our algorithm creates a model that represents each particular computer's range of normal behavior. Parameters that determine when an alarm should be raised, due to abnormal activity, are set on a per-computer basis, based on an analysis of training data. A major issue in intrusion-detection systems is the need for very low false-alarm rates. Our empirical results suggest that it is possible to obtain high intrusion-detection rates (95%) and low false-alarm rates (less than one per day per computer), without "stealing" too many CPU cycles (less than 1%). We also report which system measurements are the most valuable in terms of detecting intrusions. A surprisingly large number of different measurements prove significantly useful.

References

[1]

R. Agarwal & M. Joshi, PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection) Proc. First SIAM Intl. Conf. on Data Mining, 2001.

Google Scholar

[2]

J. Anderson, Computer Security Threat Monitoring and Surveillance, J. P. Anderson Company Technical Report, Fort Washington, PA, 1980.

Google Scholar

[3]

DARPA, Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems, DARPA Workshop Report, 1999.

Google Scholar

[4]

A. Ghosh, A. Schwartzbard, & M. Schatz, Learning Program Behavior Profiles for Intrusion Detection, USENIX Workshop on Intrusion Detection & Network Monitoring, April 1999.

Digital Library

Google Scholar

[5]

T. Lane & C. Brodley, Approaches to Online Learning and Concept Drift for User Identification in Computer Security, Proc. KDD, pp 259--263, 1998.

Google Scholar

[6]

A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava & V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, Proc. SIAM Conf. Data Mining, 2003.

Google Scholar

[7]

W. Lee, S.J. Stolfo, and K. Mok, A Data Mining Framework for Building Intrusion Detection Models, Proc. IEEE Symp. on Security and Privacy, 1999.

Google Scholar

[8]

N. Littlestone, Learning Quickly When Irrelevant Attributes Abound. Machine Learning 2, pp. 285--318.

Digital Library

Google Scholar

[9]

T. Lunt, A Survey of Intrusion Detection Techniques, Computers and Security 12:4, pp. 405--418, 1993.

Digital Library

Google Scholar

[10]

T. Mitchell, Machine Learning, McGraw-Hill.

Google Scholar

[11]

P. Neumann, The Challenges of Insider Misuse, SRI Computer Science Lab Technical Report, 1999

Google Scholar

[12]

J. Shavlik & M. Shavlik, Final Project Report for DARPA's Insider Threat Active Profiling (ITAP) program, April 2002.

Google Scholar

[13]

C. Warrender, S. Forrest, & B. Pearlmutter. Detecting Intrusions using System Calls. IEEE Symposium on Security and Privacy, pp. 133--145, 1999.

Crossref

Google Scholar

Cited By

View all

Mazhelis OPuuronen SRaento M(2022)Estimating Accuracy of Mobile-Masquerader Detection Using Worst-Case and Best-Case ScenarioInformation and Communications Security10.1007/11935308_22(302-321)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1007/11935308_22
Ayyagari MKesswani NKumar MKumar K(2021)Intrusion detection techniques in network environment: a systematic reviewWireless Networks10.1007/s11276-020-02529-3Online publication date: 2-Jan-2021
https://doi.org/10.1007/s11276-020-02529-3
Diab DAsSadhan BBinsalleeh HLambotharan SKyriakopoulos KGhafir I(2021)Denial of service detection using dynamic time warpingInternational Journal of Network Management10.1002/nem.215931:6Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1002/nem.2159
Show More Cited By

Index Terms

Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage
1. Computing methodologies
  1. Machine learning
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Intrusion Detection System by Using Hybrid Algorithm of Data Mining Technique
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer Applications

The aim of a network-based intrusion detection system (NIDS) is to detect malicious activity that targets a network and its resources. Abnormal activities or behaviors on the network systems could be identified by security systems. But, conventional ...
Using artificial anomalies to detect unknown and known network intrusions

Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining

August 2004

874 pages

ISBN:1581138881

DOI:10.1145/1014052

General Chairs:
Won Kim
Cyber Database Solutions
,
Ronny Kohavi
Amazon.com
,
Program Chairs:
Johannes Gehrke
Cornell University
,
William DuMouchel
AT&T Labs Research

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 August 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

KDD04

Sponsor:

KDD04: ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

August 22 - 25, 2004

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 1,133 of 8,635 submissions, 13%

Upcoming Conference

KDD '25

Sponsor:
sigkdd
sigkdd

The 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining

August 3 - 7, 2025

Toronto , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
1,020
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Mazhelis OPuuronen SRaento M(2022)Estimating Accuracy of Mobile-Masquerader Detection Using Worst-Case and Best-Case ScenarioInformation and Communications Security10.1007/11935308_22(302-321)Online publication date: 10-Mar-2022
https://dl.acm.org/doi/10.1007/11935308_22
Ayyagari MKesswani NKumar MKumar K(2021)Intrusion detection techniques in network environment: a systematic reviewWireless Networks10.1007/s11276-020-02529-3Online publication date: 2-Jan-2021
https://doi.org/10.1007/s11276-020-02529-3
Diab DAsSadhan BBinsalleeh HLambotharan SKyriakopoulos KGhafir I(2021)Denial of service detection using dynamic time warpingInternational Journal of Network Management10.1002/nem.215931:6Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1002/nem.2159
Alsowail RAl-Shehari T(2020)Empirical Detection Techniques of Insider Threat IncidentsIEEE Access10.1109/ACCESS.2020.29897398(78385-78402)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2989739
AsSadhan BAlShaalan RDiab DAlzoghaiby AAlshebeili SAl-Muhtadi JBin-Abbas HEl-Samie F(2020)A robust anomaly detection method using a constant false alarm rate approachMultimedia Tools and Applications10.1007/s11042-020-08653-8Online publication date: 22-Jan-2020
https://doi.org/10.1007/s11042-020-08653-8
Bridges RGlass-Vanderlan TIannacone MVincent MChen Q(2019)A Survey of Intrusion Detection Systems Leveraging Host DataACM Computing Surveys10.1145/334438252:6(1-35)Online publication date: 14-Nov-2019
https://dl.acm.org/doi/10.1145/3344382
Omar CAldrich J(2018)Reasonably programmable literal notationProceedings of the ACM on Programming Languages10.1145/32368012:ICFP(1-32)Online publication date: 30-Jul-2018
https://dl.acm.org/doi/10.1145/3236801
Diehl LFirsov DStump A(2018)Generic zero-cost reuse for dependent typesProceedings of the ACM on Programming Languages10.1145/32367992:ICFP(1-30)Online publication date: 30-Jul-2018
https://dl.acm.org/doi/10.1145/3236799
New MAhmed A(2018)Graduality from embedding-projection pairsProceedings of the ACM on Programming Languages10.1145/32367682:ICFP(1-30)Online publication date: 30-Jul-2018
https://dl.acm.org/doi/10.1145/3236768
Liu LDe Vel OHan QZhang JXiang Y(2018)Detecting and Preventing Cyber Insider Threats: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2018.280074020:2(1397-1417)Online publication date: Oct-2019
https://doi.org/10.1109/COMST.2018.2800740
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Intrusion Detection System by Using Hybrid Algorithm of Data Mining Technique

Using artificial anomalies to detect unknown and known network intrusions

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks