Title :
Statistical foundations of audit trail analysis for the detection of computer misuse
Author :
Helman, Paul ; Liepins, Gunar
Author_Institution :
Dept. of Comput. Sci., New Mexico Univ., Albuquerque, NM, USA
fDate :
9/1/1993 12:00:00 AM
Abstract :
We model computer transactions as generated by two stationary stochastic processes, the legitimate (normal) process N and the misuse process M. We define misuse (anomaly) detection to be the identification of transactions most likely to have been generated by M. We formally demonstrate that the accuracy of misuse detectors is bounded by a function of the difference of the densities of the processes N and M over the space of transactions. In practice, detection accuracy can be far below this bound, and generally improves with increasing sample size of historical (training) data. Careful selection of transaction attributes also can improve detection accuracy; we suggest several criteria for attribute selection, including adequate sampling rate and separation between models. We demonstrate that exactly optimizing even the simplest of these criteria is NP-hard, thus motivating a heuristic approach. We further differentiate between modeling (density estimation) and nonmodeling approaches
Keywords :
auditing; computer crime; security of data; stochastic processes; transaction processing; NP-hard; audit trail analysis; computer misuse; computer transactions; density estimation; detection accuracy; heuristic approach; misuse detectors; modeling; stationary stochastic processes; statistical foundations; system security; transaction attributes; Computer science; Detectors; Intrusion detection; Laboratories; Monitoring; Physics computing; Sampling methods; Space stations; Stochastic processes; System testing;
Journal_Title :
Software Engineering, IEEE Transactions on
