A Fuzzy Approach to User-level Intrusion Detection

Traditionally, researchers have focused on network level intrusion detection and program level intrusion detection to improve computer security. However, neither approach is foolproof. Typically, a successful attacker manifests in the form of the attacker becoming a user on the host either with elevated or normal user privileges. The reason for this situation is that current research and technology development have focused on external, not internal. At this point, user-level intrusion detection attempts to deter and curtail an attacker even after the system has been compromised. This paper proposed a novel method for anomaly detection of user behavior. Considering the complexity and fluctuation of user behavior, our method builds a finite automaton to profile the user's normal behavior with closeness of commands within patterns and timing sequence and frequency information between patterns. This allows discrete data used for training to have a holistic structure that allows for a more accurate expression of the normal behavior of the user. In the detection stage, our method builds a threat evaluation system using fuzzy logic. Experimental results on data sets of Purdue University, SEA and self-collected data show that an accurate, effective and efficient detection can be achieved using the proposed approach.