Abstract
Intrusion detection complements prevention mechanisms, such as firewalls, cryptography, and authentication, to capture intrusions into an information system while they are acting on the information system. Our study investigates a multivariate quality control technique to detect intrusions by building a long-term profile of normal activities in information systems (norm profile) and using the norm profile to detect anomalies. The multivariate quality control technique is based on Hotelling's T 2 test that detects both counterrelationship anomalies and mean-shift anomalies. The performance of the Hotelling's T 2 test is examined on two sets of computer audit data: a small data set and a large multiday data set. Both data sets contain sessions of normal and intrusive activities. For the small data set, the Hotelling's T 2 test signals all the intrusion sessions and produces no false alarms for the normal sessions For the large data set, the Hotelling's T 2 test signals 92 percent of the intrusion sessions while producing no false alarms for the normal sessions. The performance of the Hotelling's T 2 test is also compared with the performance of a more scalable multivariate technique - a chi-squared distance test.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 810-820 |
| Number of pages | 11 |
| Journal | IEEE Transactions on Computers |
| Volume | 51 |
| Issue number | 7 |
| DOIs | |
| State | Published - Jul 2002 |
Keywords
- Chi-square test
- Computer security
- Hotelling's T test
- Intrusion detection
- Multivariate statistical analysis
ASJC Scopus subject areas
- Software
- Theoretical Computer Science
- Hardware and Architecture
- Computational Theory and Mathematics