Probabilistic techniques for intrusion detection based on computer audit data

Nong Ye, Xiangyang Li, Qiang Chen, Syed Masum Emran, Mingming Xu

Research output: Contribution to journalArticlepeer-review

171 Scopus citations


This paper presents a series of studies on probabilistic properties of activity data in an information system for detecting intrusions into the information system. Various probabilistic techniques of intrusion detection, including decision tree, Hotelling's T 2 test, chi-square multivariate test, and Markov chain are applied to the same training set and the same testing set of computer audit data for investigating the frequency property and the ordering property of computer audit data. The results of these studies provide answers to several questions concerning which properties are critical to intrusion detection. First, our studies show that the frequency property of multiple audit event types in a sequence of events is necessary for intrusion detection. A single audit event at a given time is not sufficient for intrusion detection. Second, the ordering property of multiple audit events provides additional advantage to the frequency property for intrusion detection. However, unless the scalability problem of complex data models taking into account the ordering property of activity data is solved, intrusion detection techniques based on the frequency property provide a viable solution that produces good intrusion detection performance with low computational overhead.

Original languageEnglish (US)
Pages (from-to)266-274
Number of pages9
JournalIEEE Transactions on Systems, Man, and Cybernetics Part A:Systems and Humans.
Issue number4
StatePublished - Jul 2001


  • Anomaly detection
  • Computer audit data
  • Intrusion detection
  • Pattern recognition

ASJC Scopus subject areas

  • Software
  • Control and Systems Engineering
  • Human-Computer Interaction
  • Computer Science Applications
  • Electrical and Electronic Engineering


Dive into the research topics of 'Probabilistic techniques for intrusion detection based on computer audit data'. Together they form a unique fingerprint.

Cite this