Abstract
Intrusions into computer systems have caused many quality/reliability problems. Detecting intrusions is an important part of assuring the quality/reliability of computer systems by quickly detecting intrusions and associated quality/reliability problems in order to take corrective actions. In this paper, we present and compare two methods of forecasting normal activities in computer systems for intrusion detection. One forecasting method uses the average of long-term normal activities as the forecast. Another forecasting method uses the EWMA (exponentially weighted moving average) one-step-ahead forecast. We use a Markov chain model to learn and predict normal activities used in the EWMA forecasting method. A forecast of normal activities is used to detect a large deviation of the observed activities from the forecast as a possible intrusion into computer systems. A Chi square distance metric is used to measure the deviation of the observed activities from the forecast of normal activities. The two forecasting methods are tested on computer audit data of normal and intrusive activities for intrusion detection. The results indicate that the Chi square distance measure with the EWMA forecasting provides better performance in intrusion detection than that with the average-based forecasting method.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
