Selection, Combination, and Evaluation of Effective Software Sensors for Detecting Abnormal Usage of Computers Running Windows NT/2000
Abstract
Intrusion-detection systems (IDS) can either: (a) look for known attack patterns, or (b) be adaptive software that is smart enough to monitor and learn how the system is supposed to work under normal operation versus how it works when misuse is occurring. They used approach: (b) in this project. Specifically, they empirically determined which sets of fine-grained system measurements are the most effective at distinguishing usage by the assigned user of a given computer from misusage by other insiders within an organization. In this project, they have made significant advances toward creating an IDS that requires few CPU cycles (less than 1 percent), produces few false alarms (less than one per day), and detects most intrusions quickly (about 95 percent within 5 minutes). The algorithm that was developed measures over 200 Windows 2000 properties every second, and creates about 1500 features out of them. During a machine-learning training phase, the algorithm learns how to weight these 1500 features in order to accurately characterize the particular behavior of each user-each user gets his or her own set of feature weights. Following training, every second all of the features vote as to whether or not it seems like an intrusion is occurring. The weighted votes for and against an intrusion are compared, and if there is enough evidence, an alarm is raised.
Document Details
- Document Type
- Technical Report
- Publication Date
- Apr 01, 2002
- Accession Number
- ADA406316
Entities
People
- Jude Shavlik