Abstract
This article describes an intrusion detection technique that aims to
enhance the security of computing systems. The idea of intrusion detection
is based on the hypothesis that computer users are typically involved in
specific types of activity, and the set of programs they will use will
normally reflect that activity. Hence, security violations could be detected
from abnormal patterns of system usage. Intrusion detection almost invariably
involves two components: system monitoring and data analysis. In general, system
monitoring records everything that each user performs in the system. Monitoring
information is analyzed by use of some data analysis technique to abstract user
behavior patterns from the audit log. Although the concept of system monitoring
is widely supported in today's computer systems (at least for accounting purposes),
the provision of tools for analyzing monitoring information is not sufficient.
We present a multivariate data analysis of user behavior patterns in intrusion
detection. Our system records all user activities in each login session; abnormal
sessions are identified when the monitoring data are analyzed. Data analysis
involves two steps: analysis of correlations and classification of behavior patterns.
Analysis of correlations, which is based on standardized principal components
analysis, partitions the set of users sessions into groups such that sessions
within the same group are closely correlated and hence governed by the same
behavior pattern. Classification of behavior patterns is automated by a cluster
recognition technique. To visualize analysis results, the multivariate data
set is summarized by factor analysis.