Universiti Teknologi Malaysia Institutional Repository

A study on advanced statistical analysis for network anomaly detection

Ngadi, Md. Asri and Idris, Mohd. Yazid and Abdullah, Abd. Hanan (2005) A study on advanced statistical analysis for network anomaly detection. Project Report. Faculty of Computer Science and Information System, Skudai, Johor. (Unpublished)

Full text not available from this repository.

Abstract

Algorithms for building detection models are usually classified into two categories: misuse detection and anomaly detection. Misuse detection algorithms model know attack behavior. They compare sensor data to attack patterns learned from the training data. Anomaly detection algorithms model normal behavior. Anomaly detection models compare sensor data to normal patterns learned from the training data by using statistical method and try to detect activity that deviates from normal activity. Although Anomaly IDS might be complete, its accuracy is questionable since this approach suffers from a high false positive alarm rate and misclassification.This project expects an enhancement algorithm to be able to reduce a false positive alarm and misclassification rate. This research investigated a discriminant analysis method for detecting intrusions based on number of system calls during an activity on host machine. This method attempts to separate intrusions from normal activities. This research detects intrusions by analyzing at least system call occurring on activities, and can also tell whether an activity is an intrusion. The focus of this analysis is on original observations that performed a detecting outlier and power transformation to transform not normally distributed data to near normality. The correlation of each system calls are examined using coefficient correlations of each selected system call variables. This approach is a lightweight intrusion detection method, given that requires only nine system calls that are strongly correlated to intrusions for analysis. Moreover, this approach does not require user profiles or a user activity database in order to detect intrusions. Lastly, this method can reduce a high false positive alarm rate and misclassification for detecting process.

Item Type:Monograph (Project Report)
Divisions:Computer Science and Information System
ID Code:9074
Deposited By: Noor Aklima Harun
Deposited On:02 Jul 2009 04:20
Last Modified:14 Aug 2017 06:53

Repository Staff Only: item control page