|Table of Contents|

One-class Classification and Immune Framework in Abnormal Detection

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

Issue:
2006年01期
Page:
48-52
Research Field:
Publishing date:
2006-02-28

Info

Title:
One-class Classification and Immune Framework in Abnormal Detection
Author(s):
PAN Zhi-songNI Gui-qiangTAN LingHU Gu-yu
Institute of Command Automation,PLA University of Science and Technology,Nanjing 210007,China
Keywords:
intrusion detection sel-f organizing maps one-class classifier artificial immune theory
PACS:
TP393.08
DOI:
-
Abstract:
The abnormal detection using sequences of system calls can detect the behaviors like the U2R (User to root ) and R2L(Remote to Local) .Administrators usually can only get the normal sequences of system calls due to the difficult acquisition to the attack data. The one-class classifier based on an improved sel-f organizing maps algorithm was designed to resolve the one- class problem in abnormal detection. All activities deviated from the normal patterns are classified as an intrusion. In the experiments, the one-class classifier acquires 100 % detection rate and 4. 9 % false alarm rate for sequences of system calls. A framework for the distributed intrusion detection is given based on the artificial immune theory and the detector a-l gorithm based on the one-class classification is designed and discussed. The framework of the intrusion detection system is distributed, sel-f organizing and efficient. The approach provides a new idea of the future intrusion detection system.

References:

[ 1] Forrest S, Hofmeyr S A, Somayaji A. Computer immunology[ J] . Communications of the ACM, 1997, 40( 10) : 88- 96.
[ 2] Somayaji A, Hofmeyr S, Forrest S. Principles of a computer immune system [ A] . New Security Paradigms Workshop [ C] . ACM: Boisuert R, 1998. 75- 82.
[ 3] Warrender C, Forrest S, Pearlmutter B. Detecting intrusion using system calls: Alternative data models [ A] . IEEE Symposium on Security and Privacy [ C] . Oakland: CA, 1999. 133- 145.
[ 4] Forrest S, Hofmeyr S A, Longstaff T A. A sense of self for unix processes [ A] . IEEE Symposium on Security and Pr-i vacy[ C] . Oakland: CA, 1996. 120- 128.
[ 5] Tax D M J. One- class classification [ D] . Deft: Delft Un-i versity of Technology, 2001. 1- 190.
[ 6] Manevitz L M, Yousef M. One- class SVMs for document classification [ J] . Journal of Machine Learning Research, 2001( 2) : 139- 154.
[ 7] Rtsch G, Schlkopf B, Mika S, M?l ler K R. SVM and boosting: One class [ R] . Berlin, Germany: GMD FIRST Kekul?str, 2000. 1- 23.
[ 8] Chen Yunqiang, Zhou Xiangsean. One- class SVM for learning in image retrieval [ A] . IEEE Intl Conf on Image Proc ( ICIP. 2001) [ C] . Greece: Thessaloniki, 2001.
[ 9] Kohonen T. Sel-f organizing map [M] . Berlin: Springer-Verlag, 1995. 117- 119.
[ 10] BishopM. A standard audit trail format [ A] . Proceeding of the 18th National Information Systems Security Conference [ C] . Baltimore: The National Computer Security Center, l995. 136- l45.
[ 11] MIT lpr DataSet [ EB/ OL] . http: / / www. cs. unm. edu/ immsec/ data/ 2000.
[ 12] Lee W, Stolfo S J, Mok K W. A data mining framework for building intrusion detection models [ A] . Proc the 1999 IEEE Symposium on Security and Privacy [ C] . California: Berkely, 1999. 120- 132.
[ 13] Haykin S. Neural networks) A comprehensive foundation ( Second Edition ) [ M] . Beijing: Tsinghua University Press, 2001.
[ 14] Hattori K, Takahashi M. A new neares-t neighbor rule in the pattern classification problem [ J] . Pattern Recognition, 1999, 32: 425- 432.
[ 15] Kim J, Bentley P. The artificial immune model for network intrusion detection [ A] . 7th European Conference on Inte-l ligent Techniques and Soft Computing ( EUFIT. 99) [ C] . Aachen, Germany: EUFIT, 1999.

Memo

Memo:
-
Last Update: 2006-02-28