THESIS
2001
xi, 84 leaves : ill. ; 30 cm
Abstract
Intrusion detection has emerged as an important approach in computer security. In this thesis, we address the problem of detecting intrusive activities by using host-based data as the source. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled. A common method is to hand-code the attack signatures into rules for detection. This approach is slow and tedious. Other methods that have been proposed mostly have to use both normal and intrusive data for model training. In practice, however, intrusion data are usually difficult to obtain in sufficient amount. Therefore, we propose to solve the host-based intrusion detection problem by using normal data only. In particular, support vector machines (SVM) are used in both the supe...[
Read more ]
Intrusion detection has emerged as an important approach in computer security. In this thesis, we address the problem of detecting intrusive activities by using host-based data as the source. In particular, program profiles based on Unix system calls and user profiles based on Unix shell commands are modeled. A common method is to hand-code the attack signatures into rules for detection. This approach is slow and tedious. Other methods that have been proposed mostly have to use both normal and intrusive data for model training. In practice, however, intrusion data are usually difficult to obtain in sufficient amount. Therefore, we propose to solve the host-based intrusion detection problem by using normal data only. In particular, support vector machines (SVM) are used in both the supervised and unsupervised learning settings.
We have performed a number of experiments using both system call data and shell command data. For the system call data, unsupervised learning based on one-class SVM is used, giving results comparable to those obtained using other methods, such as hidden Markov models. For the shell command data, however, one-class SVM sometimes has very poor discrimination ability. We have analyzed the results and proposed possible reasons for explaining the unsatisfactory performance. We have also tested the shell command data using the supervised learning approach based on two-class SVM, which can deliver performance comparable to other methods such as the use of cross entropy.
Post a Comment