Rule-based integration of multiple measure-models for effective intrusion detection

As the reliance on computers increases, security of critical computers becomes more important. An IDS detects unauthorized usage and misuse by a local user as well as modification of important data by analyzing system calls, system logs, activation time, and network packets Conventional IDSs based on anomaly detection employ several artificial intelligence techniques to model normal behavior. However, they have the shortcoming that there are undetectable intrusions according to types for each measure and modeling method because each intrusion type results in anomalies. We propose a multiple-measure intrusion detection method to remedy this drawback of conventional anomaly detectors. We measure normal behavior by system calls, resource usage and file access events and build up profiles for normal behavior with a hidden Markov model, statistical method and rule-base method, which are integrated with a rule-based approach. Experimental results with real data clearly demonstrate the effectiveness of the proposed method that has a significantly low false-positive error rate against various types of intrusion.