Intrusion detection through learning behavior model

Intrusion detection is the process of identifying user actions that might potentially lead a system from a secured state to a compromised state. Normally, it is observed that the users exhibit regularities in their usage of commands of a system, as they tend to achieve the same (or perhaps similar) objective. The command sequences can therefore be used to characterize the user behavior (ACM SIGMETRICS, Performance Evaluation Review, Texas, USA, 13(2) (1985) 40). Deviations from the characteristic behavior pattern of a user can be used to detect potential intrusions. But, it requires that the user behavior is modeled either on an individual or on a group basis, in such a way that the model captures the essence of the user behavior. In this work reported here, we propose an algorithm for intrusion detection, called Genetic algorithm Based Intrusion Detector (GBID) based on "learning the individual user behavior". The user behavior is learnt by using genetic algorithms. Current user behavior can be predicted by genetic algorithms based on the past observed user behavior. The user behavior has been described using a S-tuple (Match index, Entropy index, Newness index). Value of the 3-tuple is calculated for fixed block size of commands in a user session, called command sample. The 3-tuple value of a command sample in user session are compared with expected non-intrusive behavior 3-tuple value to find intrusions. (C) 2001 Elsevier Science B.V. All rights reserved.