Statistical foundations of audit trail analysis for the detection of computer misuse

Author

Helman, Paul ; Liepins, Gunar

Author_Institution

Dept. of Comput. Sci., New Mexico Univ., Albuquerque, NM, USA

Volume

19

Issue

9

fYear

1993

fDate

9/1/1993 12:00:00 AM

Firstpage

886

Lastpage

901

Abstract

We model computer transactions as generated by two stationary stochastic processes, the legitimate (normal) process N and the misuse process M. We define misuse (anomaly) detection to be the identification of transactions most likely to have been generated by M. We formally demonstrate that the accuracy of misuse detectors is bounded by a function of the difference of the densities of the processes N and M over the space of transactions. In practice, detection accuracy can be far below this bound, and generally improves with increasing sample size of historical (training) data. Careful selection of transaction attributes also can improve detection accuracy; we suggest several criteria for attribute selection, including adequate sampling rate and separation between models. We demonstrate that exactly optimizing even the simplest of these criteria is NP-hard, thus motivating a heuristic approach. We further differentiate between modeling (density estimation) and nonmodeling approaches

Keywords

auditing; computer crime; security of data; stochastic processes; transaction processing; NP-hard; audit trail analysis; computer misuse; computer transactions; density estimation; detection accuracy; heuristic approach; misuse detectors; modeling; stationary stochastic processes; statistical foundations; system security; transaction attributes; Computer science; Detectors; Intrusion detection; Laboratories; Monitoring; Physics computing; Sampling methods; Space stations; Stochastic processes; System testing;

fLanguage

English

Journal_Title

Software Engineering, IEEE Transactions on

Publisher

ieee

ISSN

0098-5589

Type

jour

DOI

10.1109/32.241771

Filename

241771