Machine Learning for Sequential Behavior Modeling and Prediction

Abstract

In the information era, as computer networks and related applications become more and more popular, security problems are more and more serious in global information infrastructure. It was reported that in the past two years, large amounts of network attacks and computer viruses caused great damages to global economy and the potential threats to the global information infrastructure have increased a lot. To defend various cyber attacks and computer viruses, lots of computer security techniques have been studied, which include cryptography, firewalls and intrusion detection, etc. As an important computer security technique, intrusion detection [1,2] has been considered to be more promising for defending complex computer attacks than other techniques such as cryptography, firewalls, etc. The aim of intrusion detection is to find cyber attacks or non-permitted deviations of the characteristic properties in a computer system or monitored networks. Thus, one of the central problems for intrusion detection systems (IDSs) is to build effective behavior models or patterns to distinguish normal behaviors from abnormal behaviors by observing collected audit data. To solve this problem, earlier IDSs usually rely on security experts to analyze the audit data and construct intrusion detection rules manually [2]. However, since the amount of audit data, including network data, process execution traces and user command data, etc., increases vary fast, it becomes a time-consuming, tedious and even impossible work for human experts to analyze dynamic, huge volumes of audit data and extract attack signatures or detection rules. Furthermore, detection rules constructed by human experts are usually based on fixed features or signatures of existing attacks, so it will be very difficult for these rules to detect deformed or even completely new attacks. According to the differences in the monitored data, IDSs can be mainly classified into two categories, i.e., network-based intrusion detection and host-based intrusion detection. Network-based intrusion detection observes data from network packets and extracts various features from them, which usually include connection features, traffic features, and content features. A systematic discussion on feature representation in network-based intrusion detection can be found in [3]. For host-based intrusion detection, various observation data from the corresponding operation systems are collected, which mainly include system call data and shell command data [4], etc. Despite of having different observation data, both host-based and network-based intrusion detection need to improve the detection accuracy for large volumes and variability of normal and attack behaviors. Aiming at this problem, O pe n A cc es s D at ab as e w w w .in te ch w eb .o rg