Statistical modeling of UNIX users and processes with application to computer intrusion detection.

摘要

High-order Markov chain and rarity models are proposed for profiling $UNIX$ users and processes to identify their “signature behaviors”. Sequences of shell commands and system calls are employed as the audit data stream for users and processes, respectively. The goal of monitoring is to detect potential intrusions by discovering irregularities in their behaviors.; Starting from a high-order Markov chain model, the first method evolves to a hybrid model which is based mostly on the Markov chain element and occasionally on a statistical-independence model. A procedure driven by Maximum Likelihood (ML) considerations is devised to estimate the model parameters as the profile of normal behavior. The formal ML estimates are numerically intractable, but the ML-optimization problem can be substituted by a linear inverse problem with positivity constraint (LIN-INPOS), for which the EM algorithm can be used as an equation solver to produce an approximate ML-estimate. The second method focuses on the “rarity” of short sequences of audit data which is measured by their relative usage frequencies. Individual commands (or system calls) as well as the transitions between them are taken into account to formulate scores. It requires little computing resource and can be easily implemented.; The intrusion detection system works by comparing a sequence of audit data to the corresponding estimated signature behaviors in real time through statistical hypothesis testing. A form of likelihood-ratio test is devised. In the case of user profiling, it is used to detect if a given sequence of commands is from the proclaimed user, with the alternative hypothesis being a masquerader. In the case of processes modeling we test if a target system-call trace is part of the execution of an intrusion program. Real-life data collected from AT&T Labs - Research and publicly available data from the university of New Mexico are utilized to assess the proposed approaches. The experiment results indicate that our models hold promise and opens the door for many exciting modifications and extensions for computer intrusion detection.