Abstract
Network security, and intrusion detection in particular, represents an area of increased interest in security community over last several years. However, the majority of work in this area has been concentrated upon implementation of misuse detection systems for intrusion patterns monitoring among network traffic. In anomaly detection the classification was mainly based on statistical or sequential analysis of data often neglecting temporal events’ information as well as existing relations between them. In this paper we consider an anomaly detection problem as one of classification of user behavior in terms of incoming multiple discrete sequences. We present an approach that allows creating and maintaining user behavior profiles relying not only on sequential information but taking into account temporal features, such as events’ lengths and possible relations between them. We define a user profile as a number of predefined classes of actions with accumulated temporal statistics for every class, and matrix of possible relations between classes.
Chapter PDF
References
Allen, J. (1983). Maintaining knowledge about temporal intervals. Communications of the ACM, 26:832–843.
Ilgun, K. and Kemmerer, R. (1995). State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engeneering, 21(3):181–199.
Kautz, H. and Ladkin, P. (1991). Integrating metric and qualitative temporal reasoning. In Nine National Conference of Artificial Intelligence, CA, USA.
Kumar, S. (1995). Classification and Detection of Computer Intrusions. Phd, Purdue University.
Kumar, S. and Spafford, E. (1995). A software architecture to support misuse intrusion detection. In The 18th National information Security Conference, pages 194–204.
Lane, T. and Brodley, C. (1998). Sequence matching and learning in anomaly detection for computer security.
Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A., and Garvey, T. (1992). A real-time intrusion detection expert system (ides)-final technical report. Technical, Computer Science Laboratory, SRI International.
Phrack (1996). Ip-spoofing demystified: Trust-relationship exploitation. Phrack Magazine, available from http://www.fc.net/phrack/files/p48/, 7(48).
Power, R. (1995). Current and future danger. Computer Security Institute, San Francisco, California.
Seleznyov, A. and Puuronen, S. (1999a). Anomaly intrusion detection systems: Handling temporal relations between events. In 2nd International Workshop on Recent Advances in Intrusion Detection, Lafayette, Indiana, USA.
Seleznyov, A. and Puuronen, S. (1999b). Temporal aspects of user profiling in anomaly detection. In Fourteen International Symposium on Computer and Information Sciences, Izmir, Turkey.
Sendmail (2000). Sendmail Mail Program. Description and new version available from http://www.sendmail.org.
Smaha, S. (1993). Tools for misuse detection. In ISSA’ 93, Crystal City, VA.
Sundaram, A. (1998). An introduction to intrusion detection. ACM Crossroads.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this paper
Cite this paper
Seleznyov, A. (2001). A Methodology to Detect Temporal Regularities in User Behavior for Anomaly Detection. In: Dupuy, M., Paradinas, P. (eds) Trusted Information. SEC 2001. IFIP International Federation for Information Processing, vol 65. Springer, Boston, MA. https://doi.org/10.1007/0-306-46998-7_24
Download citation
DOI: https://doi.org/10.1007/0-306-46998-7_24
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7389-6
Online ISBN: 978-0-306-46998-5
eBook Packages: Springer Book Archive