The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Clustering Normal User Behavior for Anomaly Intrusion Detection

비정상행위 탐지를 위한 사용자 정상행위 클러스터링 기법

  • 오상현 (연세대학교 대학원 컴퓨터과학과) ;
  • 이원석 (연세대학교 컴퓨터과학과)
  • Published : 2003.12.01
Download PDF
⟨ Previous Next ⟩

Abstract

For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques in order to analyze an audit data set. However. since they mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. In this paper, a new clustering algorithm for modeling the normal pattern of a user's activities is proposed. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Also, clustering can be used to model common knowledge occurring frequently in a set of transactions. Consequently, the common activities of a user can be found more accurately. The common knowledge is represented by the occurrence frequency of similar data objects by the unit of a transaction as veil as the common repetitive ratio of similar data objects in each transaction. Furthermore, the proposed method also addresses how to maintain identified common knowledge as a concise profile. As a result, the profile can be used to detect any anomalous behavior In an online transaction.

사용자 비정상 행위를 탐지하기 위해서 기존의 연구들은 주로 통계적 기법을 이용해 왔다. 그러나 이들 연구들은 주로 사용자의 평균적인 행위를 분석하기 때문에 사용자의 비정상행위가 정확하게 탐지될 수 없다. 본 논문에서는 사용자의 정상행위를 모델링하는 새로운 클러스터링 방법을 제안한다. 클러스터링은 분석 환경에서 임의 개수의 빈발 영역을 식별할 수 있기 때문에 통계적 기법에서의 부정확한 모델링 방법을 개선할 수 있다. 빈발 공통 지식은 트랜잭션 단위로 발생되는 유사 데이터 객체들의 빈도수와 각 트랜잭션에 포함된 유사 데이터 객체들의 반복 비율로 나타낼 수 있다. 이와 더불어, 제안된 방법은 공통 지식을 축약된 프로파일로 유지하는 방법을 설명한다. 따라서 생성된 프로파일을 이용하여 온라인 트랜잭션에서의 비정상 행위를 쉽게 탐지할 수 있다.

Keywords

References

  1. B. Mukherjee, T. L. Heberlein and K. N. Kevitt, 'Network intrusion Detection,' IEEE Network, Vol. 8, No. 3, pp. 26-41, May/June, 1994 https://doi.org/10.1109/65.283931
  2. K. Illgun, 'USTAT : A Real-Time Intrusion Detection System for UNIX,' in Proc. Of the 1993 Symposium Security and Privacy, pp. 16-28, May, 1993 https://doi.org/10.1109/RISP.1993.287646
  3. T. D. Garvey and Teresa, F. Lunt, 'Model based intrusion detection,' In Proc. Of the 14th National Computer Security Conference, pp. 372-385, October, 1991
  4. H. S. Javitz, A. Valdes, 'The SRIIDES Statistical Anomaly Detector,' In Proc. of the 1991 IEEE Symposium on Research in Security and Privacy, May, 1991
  5. Harold S. Javitz and Alfonso Valdes, The NIDES Statistical Component Description and Justification, Annual report, SRI International, 333 Ravenwood Avenue, Menlo Park, CA 94025, March, 1994
  6. Phillip A. Porras and Peter G. Neumann, 'EMERALD : Event Monitoring Enabling Responses to Anomalous Live Disturbances,' 20th NISSC, October, 1997
  7. Henry S. Teng, Kaihu Chen and Stephen C. Lu, 'Security Audit Trail Analysis Using Inductively Generated Predictive Rules,' In Proceedings of the Sixth Conference on Artificial Intelligence Applications, Piscataway, New Jersey, pp. 24-29, March, 1990 https://doi.org/10.1109/CAIA.1990.89167
  8. Martin Ester, Hans-Peter Kriegel, Sander, Michael Wimmer, Xiaowei Xu, 'Incremental Clustering for Mining in a Data Warehousing Environment,' Proceedings of the 24th VLDB Conference, New York, USA, 1998
  9. MacQueen, J., 'Some Methods for Classification and Analyisis of Multivariate Observations,' Proc. 5th Berkeley Symp., pp. 281-297, 1967
  10. Kaufman, L. and Rouseeuw, P., Finding Groups in Data : an Introduction to Cluster Analysis, John Wiley & Sons, 1990
  11. Tian Zhang, Raghu Ramakrishnan and Miron Livny, 'Birch : An Efficient data clustering method for very large databases,' Proceedings for the ACM SIGMOD Conference on Management of Data, Montreal, Canada, June, 1996 https://doi.org/10.1145/235968.233324
  12. Sudipto Guha, Rajeev Rastogi and Kyuseok Shim, 'CURE : An Effeicient Clustering Algorithm for Large Databases,' ACM SIGMOD International Conference on Management of Data, Seattle, Washington, 1998
  13. W. Wnag, J. Yang and R. Muntz, STING : A statistical information grid approach to spatial data mining, 1997
  14. Rakesh Agrawal, Johannes Gehrke, Dimitrios Gunopulos, Prabhakar Raghavan, 'Automatic Subspace Clustering of High Dimensional Data for Data Mining Applications,' Proc. of the ACM SIGMOD Int'l Conference on Management of Data, Seattle, Washington, June, 1998 https://doi.org/10.1145/276305.276314
  15. R. Agrawal, R. Srikant, 'Fast Algorithms for Mining Association Rules,' Proc. of the 20th Int'l Conference on Very Large Databases, Santiago, Chile, Sept., 1994
  16. R. Agrawal, R. Srikant, 'Mining Sequential Patterns,' Proc. of the Int'l Conference on Data Engineering (ICDE), Taipei, Taiwan, March, 1995
  17. Sun Microsystems. SunShield Basic Security Module Guide
  18. http://www.ll.mit.edu/IST/ideval/index.html