A methodology to detect temporal regularities in user behavior for anomaly detection

Abstract

Network security, and intrusion detection in particular, represents an area of increased interest in security community over last several years. However, the majority of work in this area has been concentrated upon implementation of misuse detection systems for intrusion patterns monitoring among network traffic. In anomaly detection the classification was mainly based on statistical or sequential analysis of data often neglecting temporal events' information as well as existing relations between them. In this paper we consider an anomaly detection problem as one of classification of user behavior in terms of incoming multiple discrete sequences. We present an approach that allows creating and maintaining user behavior profiles relying not only on sequential information but taking into account temporal features, such as events' lengths and possible relations between them. We define a user profile as a number of predefined classes of actions with accumulated temporal statistics for every class, and matrix of possible relations between classes. © 2002 Kluwer Academic / Plenum Publishers, New York.