IMPROVED OFF-LINE INTRUSION DETECTION USING A GENETIC ALGORITHM

Pedro A. Diaz-Gomez, Dean F. Hougen

Abstract

One of the primary approaches to the increasingly important problem of computer security is the Intrusion Detection System. Various architectures and approaches have been proposed including: Statistical, rule-based approaches; Neural Networks; Immune Systems; Genetic Algorithms; and Genetic Programming. This paper focuses on the development of an off-line Intrusion Detection System to analyze a Sun audit trail file. Off-line intrusion detection can be accomplished by searching audit trail logs of user activities for matches to patterns of events required for known attacks. Because such search is NP-complete, heuristic methods will need to be employed as databases of events and attacks grow. Genetic Algorithms can provide appropriate heuristic search methods. However, balancing the need to detect all possible attacks found in an audit trail with the need to avoid false positives (warnings of attacks that do not exist) is a challenge, given the scalar fitness values required by Genetic Algorithms. This study discusses a fitness function independent of variable parameters to overcome this problem. This fitness function allows the IDS to significantly reduce both its false positive and false negative rate. This paper also describes extending the system to account for the possibility that intrusions are either mutually exclusive or not mutually exclusive.

References

  1. Anderson, J. P. (1980). Computer security threat monitoring and surveillance. Technical Report 79F296400, James P. Anderson, Co., Fort Washington, PA.
  2. Anonymous (2000). SunSHIELD basic security module guide (Solaris 8). Technical Report 806- 1789-10, Sun Microsystems, Inc., Palo Alto, CA. http://docs.sun.com/db/doc/806-1789, accessed July 2004.
  3. Bace, R. G. (2000). Intrusion Detection. MacMillan Technical Publishing, USA.
  4. Coello, C. A. C. (1998). A comprehensive survey of evolutionary-based multiobjective optimization techniques. Knowledge and Information Systems, 1(3):269-308.
  5. Crosbie, M. and Spafford, G. (1995). Applying genetic programming to intrusion detection. In Papers from the 1995 AAAI Fall Symposium, pages 1-8.
  6. Denning, D. E. (1986). An intrusion-detection model. In Proceedings of the 1986 IEEE Symposium on Security and Privacy, pages 118-131.
  7. Diaz-Gomez, P. A. and Hougen, D. F. (2005). Analysis of an off-line intrusion detection system: A case study in multi-objective genetic algorithms. In Proceedings of the Florida Artificial Intelligence Research Society Conference. AAAI Press.
  8. Forrest, S., Perelson, A. S., Allen, L., and Cherukuri, R. (1994). Self-nonself discrimination in a computer. In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, pages 202-212, Oakland, CA. IEEE Computer Society Press.
  9. Fried, D. and Zissman, M. (1998). Intrusion detection evaluation. Technical report, Lincoln Laboratory, MIT. http://www.ll.mit.edu/IST/ideval/, accessed March 2004.
  10. Mé, L. (1998). GASSATA, a genetic algorithm as an alternative tool for security audit trail analysis. In First International Workshop on the Recent Advances in Intrusion Detection, Belgium.
  11. Mitchell, M. (1998). An Introduction to Genetic Algorithms. MIT Press.
  12. Tjaden, B. C. (2004). Fundamentals of Secure Computer Systems. Franklin and Beedle & Associates.
Download


Paper Citation


in Harvard Style

A. Diaz-Gomez P. and F. Hougen D. (2005). IMPROVED OFF-LINE INTRUSION DETECTION USING A GENETIC ALGORITHM . In Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 972-8865-19-8, pages 66-73. DOI: 10.5220/0002553100660073


in Bibtex Style

@conference{iceis05,
author={Pedro A. Diaz-Gomez and Dean F. Hougen},
title={IMPROVED OFF-LINE INTRUSION DETECTION USING A GENETIC ALGORITHM},
booktitle={Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2005},
pages={66-73},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002553100660073},
isbn={972-8865-19-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - IMPROVED OFF-LINE INTRUSION DETECTION USING A GENETIC ALGORITHM
SN - 972-8865-19-8
AU - A. Diaz-Gomez P.
AU - F. Hougen D.
PY - 2005
SP - 66
EP - 73
DO - 10.5220/0002553100660073