Statistical foundations of audit trail analysis for the detection of computer misuse

Helman, P; Liepins, G

doi:10.1109/32.241771

Title: Statistical foundations of audit trail analysis for the detection of computer misuse

Journal Article · Wed Sep 01 00:00:00 EDT 1993 · IEEE (Institute of Electrical and Electronics Engineers) Transactions on Software Engineering; (United States)

DOI:https://doi.org/10.1109/32.241771· OSTI ID:5636136

Helman, P ^[1]; Liepins, G ^[2]

Univ. of New Mexico, Albuquerque, NM (United States). Computer Science Dept.
Oak Ridge National Lab., Oak Ridge, TN (United States) Univ. of Tennessee, Knoxville, TN (United States). Computer Science Dept.

The authors model computer transactions as generated by two stationary stochastic processes, the legitimate (normal) process N and the misuse process M. They define misuse (anomaly) detection to be the identification of transactions most likely to have been generated by M. They formally demonstrate that the accuracy of misuse detectors is bounded by a function of the difference of the densities of the processes N and M over the space of transactions. In practice, detection accuracy can be far below this bound, and generally improves with increasing sample size of historical (training) data. Careful selection of transaction attributes also can improve detection accuracy; they suggest several criteria for attribute selection, including adequate sampling rate and separation between models. They demonstrate that exactly optimizing even the simplest of these criteria is NP-hard, thus motivating a heuristic approach. They further differentiate between modeling (density estimation) and nonmodeling approaches. They introduce a frequentist method as a special case of the former, and Wisdom and Sense, developed at Los Alamos National Laboratory, as a special case of the latter. For nonmodeling approaches such as Wisdom and Sense that generate statistical rules, they show that the rules must be maximally specific to ensure consistency with Bayesian analysis. Finally, they provide suggestions for testing detection systems and present limited test results using Wisdom and Sense and the frequentist approach.

Cite

Export

Save

OSTI ID:: 5636136

Journal Information:: IEEE (Institute of Electrical and Electronics Engineers) Transactions on Software Engineering; (United States), Vol. 19:9; ISSN 0098-5589

Country of Publication:: United States

Language:: English

Similar Records

Inductive inference model of anomaly and misuse detection

Technical Report · Wed Jan 01 00:00:00 EST 1997 · OSTI ID:5636136

Helman, P

Transacting generation attributes across market boundaries: Compatible information systems and the treatment of imports and exports

Technical Report · Fri Nov 01 00:00:00 EST 2002 · OSTI ID:5636136

Grace, Robert; Wiser, Ryan

Misuse Detection for a Generalized SFR Test Reactor

Technical Report · Fri Jan 01 00:00:00 EST 2021 · OSTI ID:5636136

Gleicher, Frederick N.; Stewart, Ryan Hunter; Martin, Nicolas Pierre; +1 more

Related Subjects

99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE
COMPUTERS
SECURITY
ACCURACY
DETECTION
RESEARCH PROGRAMS
SAMPLING
STATISTICS
TESTING
MATHEMATICS
990200* - Mathematics & Computers

Title: Statistical foundations of audit trail analysis for the detection of computer misuse

Citation Formats

Similar Records

Related Subjects