Simultaneous Anomaly and Misuse Intrusion Detections Based on Partial Approximative Set Theory

Nowadays, it is already a banality that people run their applications in a complex open computing environment including all sorts of interconnected devices. In order to meet the network security challenge in nonprofessional human environments, Intrusion Detection Systems (IDS) have to be designed. Intrusion detection techniques are categorized into anomaly and misuse detection. To describe the outlined problem, we focus solely on externally observable executions generated by the observed system. Thus, we need some sort of tool being able to discover acceptable and unacceptable patterns in execution traces. Such a tool may be the rough set theory. According to the rough set theory, the vagueness of a subset of a finite universe U is defined by the difference of its upper and lower approximations with respect to a partition of U. In this paper, our starting point will be an arbitrary family of subsets of an arbitrary U, neither that it covers U nor that U is finite will be assumed. This new approach is called the partial approximative set theory. We will apply this theory to build an IDS which is simultaneously able to detect anomaly and misuse intrusions.