J. Shavlik & M. Shavlik (2004).
Selection, Combination, and Evaluation of Effective Software Sensors for Detecting Abnormal Computer Usage. Proceedings of the Tenth International Conference on Knowledge Discovery and Data Mining, pp. 276-285, Seattle, WA.
This publication is available in PDF and available in Microsoft Word.
The slides for this publication are available in Microsoft PowerPoint.
We present and empirically analyze a machine-learning approach for detecting intrusions on individual computers. Our Winnow-based algorithm continually monitors user and system behavior, recording such properties as the number of bytes transferred over the last 10 seconds, the programs that currently are running, and the load on the CPU. In all, hundreds of measurements are made and analyzed each second. Using this data, our algorithm creates a model that represents each particular computer's range of normal behavior. Parameters that determine when an alarm should be raised, due to abnormal activity, are set on a per-computer basis, based on an analysis of training data. A major issue in intrusion-detection systems is the need for very low false-alarm rates. Our empirical results suggest that it is possible to obtain high intrusion-detection rates (95%) and low false-alarm rates (less than one per day per computer), without ''stealing'' too many CPU cycles (less than 1%). We also report which system measurements are the most valuable in terms of detecting intrusions. A surprisingly large number of different measurements prove significantly useful.