SUMMARYIntrusion detection is used to monitor and capture intrusions into computer and network systems, which attempt to compromise the security of computer and network systems. To protect information systems from intrusions and thus assure the reliability and quality of service of information systems, it is highly desirable to develop techniques that detect intrusions into information systems. Many intrusions manifest in dramatic changes in the intensity of events occurring in information systems. Because of the ability of exponentially weighted moving average (EWMA) control charts to monitor the rate of occurrences of events based on the their intensity, we apply three EWMA statistics to detect anomalous changes in the events intensity for intrusion detections. They include the EWMA chart for autocorrelated data, the EWMA chart for uncorrelated data and the EWMA chart for monitoring the process standard deviation. The objectives of this paper are to provide design procedures for realizing these control charts and investigate their performance using different parameter settings based on one large dataset. The early detection capability of these EWMA techniques is also examined to provide the guidance about the design capacity of information systems.
SUMMARYThis paper presents two different methods of applying stochastic models to computer intrusion detection. One method is based on a first-order stochastic model, specifically a Markov chain model. The other method is based on a partial high-order stochastic model. Stochastic models are used to build a profile of normal activities on a computer from the training data of normal activities on the computer. The norm profile is then used to detect anomalous activities from testing data of both normal and intrusive activities on the computer for intrusion detection. Audit data of computer activities contain a sequence of computer events that is represented as a series of event transitions in stochastic models. The comparison of detection performance between the Markov chain model application and the partial high-order stochastic model application reveals the better detection performance of the Markov chain model application to computer intrusion detection.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.