Remote attack detection method in IDA

MLSI-based intrusion detection with discriminant analysis

Midori Asaka, Takefumi Onabuta, Tadashi Inoue, Shunji Okazawa, Shigeki Goto

    Research output: Contribution to journalArticle

    Abstract

    In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system logs in order to discover an MLSI - which is a certain event which in many cases occurs during an intrusion. If an MLSI is found, then IDA judges whether the MLSI is accompanied by an intrusion. We adopt discriminant analysis to analyze information after IDA detects an MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to separate intrusive activities from nonintrusive activities. Using discriminant analysis, we can detect intrusions by analyzing only a part of the system calls occurring on a host machine, and we can determine whether an unknown sample is an intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.

    Original languageEnglish
    Pages (from-to)50-62
    Number of pages13
    JournalElectronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi)
    Volume86
    Issue number4
    DOIs
    Publication statusPublished - 2003 Apr

    Fingerprint

    Intrusion detection
    Discriminant analysis

    Keywords

    • Computer security
    • Discriminant analysis
    • Intrusion detection agent (IDA)
    • Marks left by suspected intruders (MLSI)
    • Remote attack detection

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Electrical and Electronic Engineering

    Cite this

    Remote attack detection method in IDA : MLSI-based intrusion detection with discriminant analysis. / Asaka, Midori; Onabuta, Takefumi; Inoue, Tadashi; Okazawa, Shunji; Goto, Shigeki.

    In: Electronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi), Vol. 86, No. 4, 04.2003, p. 50-62.

    Research output: Contribution to journalArticle

    @article{a9a14fa5d5c14100b9643a30ad24388e,
    title = "Remote attack detection method in IDA: MLSI-based intrusion detection with discriminant analysis",
    abstract = "In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system logs in order to discover an MLSI - which is a certain event which in many cases occurs during an intrusion. If an MLSI is found, then IDA judges whether the MLSI is accompanied by an intrusion. We adopt discriminant analysis to analyze information after IDA detects an MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to separate intrusive activities from nonintrusive activities. Using discriminant analysis, we can detect intrusions by analyzing only a part of the system calls occurring on a host machine, and we can determine whether an unknown sample is an intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.",
    keywords = "Computer security, Discriminant analysis, Intrusion detection agent (IDA), Marks left by suspected intruders (MLSI), Remote attack detection",
    author = "Midori Asaka and Takefumi Onabuta and Tadashi Inoue and Shunji Okazawa and Shigeki Goto",
    year = "2003",
    month = "4",
    doi = "10.1002/ecja.10053",
    language = "English",
    volume = "86",
    pages = "50--62",
    journal = "Electronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi)",
    issn = "8756-6621",
    publisher = "John Wiley and Sons Inc.",
    number = "4",

    }

    TY - JOUR

    T1 - Remote attack detection method in IDA

    T2 - MLSI-based intrusion detection with discriminant analysis

    AU - Asaka, Midori

    AU - Onabuta, Takefumi

    AU - Inoue, Tadashi

    AU - Okazawa, Shunji

    AU - Goto, Shigeki

    PY - 2003/4

    Y1 - 2003/4

    N2 - In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system logs in order to discover an MLSI - which is a certain event which in many cases occurs during an intrusion. If an MLSI is found, then IDA judges whether the MLSI is accompanied by an intrusion. We adopt discriminant analysis to analyze information after IDA detects an MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to separate intrusive activities from nonintrusive activities. Using discriminant analysis, we can detect intrusions by analyzing only a part of the system calls occurring on a host machine, and we can determine whether an unknown sample is an intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.

    AB - In order to detect intrusions, IDA (Intrusion Detection Agent system) initially monitors system logs in order to discover an MLSI - which is a certain event which in many cases occurs during an intrusion. If an MLSI is found, then IDA judges whether the MLSI is accompanied by an intrusion. We adopt discriminant analysis to analyze information after IDA detects an MLSI in a remote attack. Discriminant analysis provides a classification function that allows IDA to separate intrusive activities from nonintrusive activities. Using discriminant analysis, we can detect intrusions by analyzing only a part of the system calls occurring on a host machine, and we can determine whether an unknown sample is an intrusion. In this paper, we explain in detail how we perform discriminant analysis to detect intrusions, and evaluate the classification function. We also describe how to extract a sample from system logs, which is necessary to implement the discriminant analysis function in IDA.

    KW - Computer security

    KW - Discriminant analysis

    KW - Intrusion detection agent (IDA)

    KW - Marks left by suspected intruders (MLSI)

    KW - Remote attack detection

    UR - http://www.scopus.com/inward/record.url?scp=0037381116&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=0037381116&partnerID=8YFLogxK

    U2 - 10.1002/ecja.10053

    DO - 10.1002/ecja.10053

    M3 - Article

    VL - 86

    SP - 50

    EP - 62

    JO - Electronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi)

    JF - Electronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi)

    SN - 8756-6621

    IS - 4

    ER -