Dealing with Interleaved Event Inputs for Intrusion Detection
We propose an intrusion detection method that can deal with interleaved event inputs. The event sequences may be alert sequences in a network or running processes on a host which are both considered to contain mixed behaviors with unpredictable orders in the temporal domain. To detect intrusions wit...
Saved in:
| Published in | Journal of Information Science and Engineering Vol. 35; no. 1; pp. 223 - 242 |
|---|---|
| Main Authors | , , |
| Format | Journal Article |
| Language | English |
| Published |
Taipei
社團法人中華民國計算語言學學會
01.01.2019
Institute of Information Science, Academia Sinica |
| Subjects | |
| Online Access | Get full text |
| ISSN | 1016-2364 |
| DOI | 10.6688/JISE.201901_35(1).0012 |
Cover
| Abstract | We propose an intrusion detection method that can deal with interleaved event inputs. The event sequences may be alert sequences in a network or running processes on a host which are both considered to contain mixed behaviors with unpredictable orders in the temporal domain. To detect intrusions with interleaved event sequences, one of the major difficulties is to separate the interleaved events that are produced by different users or for different intentions. We propose a novel ATM algorithm to extract subsequences that characterize different behaviors; afterwards, a method that is based on graph representation is used to detect intrusions. In a network, there could be intruders who plan a DDoS attack on an environment that has mostly benign users. The proposed method can distinguish between different pieces of network data that represent different behaviors and locate where the intrusion is. On a host, users without enough privilege may inappropriately gain access to data that they are not supposed to see. The proposed method can detect the event subsequence that is associated with the unauthorized activity given a usage sequence from users such as process, command or log sequences. Given the network or host-based data, the experiment results show that the proposed method can reach high precision and recall rates at the same time in the intrusion detection task. Moreover, the graphs produced by the proposed ATM method are also compared to the graphs generated from other methods to confirm that the ATM-based graph representation indeed describes meaningful transitions between events. |
|---|---|
| AbstractList | We propose an intrusion detection method that can deal with interleaved event inputs. The event sequences may be alert sequences in a network or running processes on a host which are both considered to contain mixed behaviors with unpredictable orders in the temporal domain. To detect intrusions with interleaved event sequences, one of the major difficulties is to separate the interleaved events that are produced by different users or for different intentions. We propose a novel ATM algorithm to extract subsequences that characterize different behaviors; afterwards, a method that is based on graph representation is used to detect intrusions. In a network, there could be intruders who plan a DDoS attack on an environment that has mostly benign users. The proposed method can distinguish between different pieces of network data that represent different behaviors and locate where the intrusion is. On a host, users without enough privilege may inappropriately gain access to data that they are not supposed to see. The proposed method can detect the event subsequence that is associated with the unauthorized activity given a usage sequence from users such as process, command or log sequences. Given the network or host-based data, the experiment results show that the proposed method can reach high precision and recall rates at the same time in the intrusion detection task. Moreover, the graphs produced by the proposed ATM method are also compared to the graphs generated from other methods to confirm that the ATM-based graph representation indeed describes meaningful transitions between events. |
| Author | FONG-RUEI LEE YUH-JYE LEE HSING-KUO PAO |
| Author_xml | – sequence: 1 givenname: Hsing-Kuo surname: Pao fullname: Pao, Hsing-Kuo – sequence: 2 givenname: Fong-Ruei surname: Lee fullname: Lee, Fong-Ruei – sequence: 3 givenname: Yuh-Jye surname: Lee fullname: Lee, Yuh-Jye |
| BookMark | eNpdUE1PwzAMzWFIbIO_gCpxgUOL46RZe-CAtsGGJnEAzlXWOpCpSkebjr-_VJuExMF-_niy_TxhI9c4YuyGQ6JUlj28rt-XCQLPgRciveP3CQDHERtz4CpGoeQlm3TdDgBVKuWYPS5I19Z9Rb_Wf0dr56mtSR-oipYHcj5U9r3vItO0Q7PtO9u4aEGeSh-iK3ZhdN3R9Rmn7PN5-TFfxZu3l_X8aRNrlJmPyWiimdBpWm3NFstSKZ5TpXLEUlK4llIRKGjACGF4NZPEgcqZkAhGKSWm7PY0d982Pz11vtg1fevCygJ5luXB5VlgrU4sbVvr7R9nED9oL86fOQFIABD_EgwmURwBBlBfew |
| ContentType | Journal Article |
| Copyright | Copyright Institute of Information Science, Academia Sinica Jan 2019 |
| Copyright_xml | – notice: Copyright Institute of Information Science, Academia Sinica Jan 2019 |
| DBID | 188 7SC 8FD JQ2 L7M L~C L~D |
| DOI | 10.6688/JISE.201901_35(1).0012 |
| DatabaseName | 中文電子期刊服務 CEPS: Chinese Electronic Periodical Services Computer and Information Systems Abstracts Technology Research Database ProQuest Computer Science Collection Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Academic Computer and Information Systems Abstracts Professional |
| DatabaseTitle | Computer and Information Systems Abstracts Technology Research Database Computer and Information Systems Abstracts – Academic Advanced Technologies Database with Aerospace ProQuest Computer Science Collection Computer and Information Systems Abstracts Professional |
| DatabaseTitleList | Computer and Information Systems Abstracts |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EndPage | 242 |
| ExternalDocumentID | 10162364_201901_201901040003_201901040003_223_242 |
| GroupedDBID | .4S .DC 188 2UF 2WC 5GY A8Z AAKPC ACGFO ADMLS AENEX AIAGR AINHJ ALMA_UNASSIGNED_HOLDINGS ARCSS ATFKH CNMHZ CVCKV EBS EDO EJD I-F MK~ ML~ OK1 P2P TN5 TR2 TUS UZ4 7SC 8FD JQ2 L7M L~C L~D |
| ID | FETCH-LOGICAL-a248t-efaee73a55dbfb2cc6619ed6922c4e019e53fae2f0f33f1d74e10ec73420f6663 |
| ISSN | 1016-2364 |
| IngestDate | Sun Jun 29 15:49:12 EDT 2025 Tue May 20 00:40:16 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Issue | 1 |
| Keywords | event sequence network-based intrusion host-based intrusion interleaved event intrusion detection |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-a248t-efaee73a55dbfb2cc6619ed6922c4e019e53fae2f0f33f1d74e10ec73420f6663 |
| Notes | ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 14 |
| PQID | 2188921898 |
| PQPubID | 2047910 |
| PageCount | 20 |
| ParticipantIDs | proquest_journals_2188921898 airiti_journals_10162364_201901_201901040003_201901040003_223_242 |
| PublicationCentury | 2000 |
| PublicationDate | 20190101 |
| PublicationDateYYYYMMDD | 2019-01-01 |
| PublicationDate_xml | – month: 01 year: 2019 text: 20190101 day: 01 |
| PublicationDecade | 2010 |
| PublicationPlace | Taipei |
| PublicationPlace_xml | – name: Taipei |
| PublicationTitle | Journal of Information Science and Engineering |
| PublicationYear | 2019 |
| Publisher | 社團法人中華民國計算語言學學會 Institute of Information Science, Academia Sinica |
| Publisher_xml | – name: 社團法人中華民國計算語言學學會 – name: Institute of Information Science, Academia Sinica |
| SSID | ssj0026544 |
| Score | 1.7517903 |
| Snippet | We propose an intrusion detection method that can deal with interleaved event inputs. The event sequences may be alert sequences in a network or running... |
| SourceID | proquest airiti |
| SourceType | Aggregation Database Publisher |
| StartPage | 223 |
| SubjectTerms | Algorithms Cybersecurity Denial of service attacks Graph representations Graphical representations Graphs Intrusion detection systems |
| Title | Dealing with Interleaved Event Inputs for Intrusion Detection |
| URI | https://www.airitilibrary.com/Article/Detail/10162364-201901-201901040003-201901040003-223-242 https://www.proquest.com/docview/2188921898 |
| Volume | 35 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVEBS databaseName: EBSCOhost Food Science Source issn: 1016-2364 databaseCode: A8Z dateStart: 20110101 customDbUrl: isFulltext: true dateEnd: 99991231 titleUrlDefault: https://search.ebscohost.com/login.aspx?authtype=ip,uid&profile=ehost&defaultdb=fsr omitProxy: false ssIdentifier: ssj0026544 providerName: EBSCOhost – providerCode: PRVEBS databaseName: Inspec with Full Text issn: 1016-2364 databaseCode: ADMLS dateStart: 20071101 customDbUrl: isFulltext: true dateEnd: 99991231 titleUrlDefault: https://www.ebsco.com/products/research-databases/inspec-full-text omitProxy: false ssIdentifier: ssj0026544 providerName: EBSCOhost |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV3db9MwELeq8cIL34iNgfKAJdAUSGwnsR_TzaUtsCK2ShsvVT4cCQkVtKU88B_zX3DnuG46QGIIqU3cc-w6vl_sX06-MyHPCpmWBTCNMK4rEQpTRmFhBAuLtOGlLOqI1eic_O44Hc_F9Cw5Gwx-9FYtrdryZfX9t34l_6JVkIFe0Uv2Gpr1lYIA0qBfOIKG4fhXOj4ClueNqda299kU34BCalzFCJKvq9bGW8DMixUaxmCAae3qq-UfaKnzT-oGEvfgo3G9F7jQQ-Fkcvw6fDOfHbzPZx4IM5B9mOvJwVvtvRzO5-Nweq69yJkZ0LNpy8xAdUZzQYea6oSqQ6ok1SkdcqoSqkGe4wcTkuZHVEsqRzQf2WsiqmJXSg4xK4dcaSvUVGVWklOl11kRXgyVQFWbRGqL895IDVw1xOj3_aG8i3yyBVk3LndOzW6KZ11Ar6uzR5pK9IiYTk40rvkDprTgCYbLoswGNWWbOdOvZMRmYCsWrkB3wpEx4ld-MPgKYAs3GExAuMtILj9620Ca2H2H_V11zuzYolfb7Xkev7BtAcZUfMK4V7-QCMuMTu-QWw47Qd7h8y4ZmOU9cnu9XUjgQHSfrOEaIFyDHlwDC9egg2sA8As8XAMP1wdkPtKnh-PQ7d4RFkzINjRNYUzGiySpy6ZkVQVMUJk6VYxVwsDtmITDJayJGs6buM6EiSNTZVywqIGXav6Q7Cy_LM0jEhjOolJElSnrFMMfqayS-GrIRJLV0DO7JO_6YuEezsvFtfWyS_bX3bipBfivVHBQcu8__MVjcnPzZO2THehJ8wQobVs-tWD4CYVvfvE |
| linkProvider | EBSCOhost |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Dealing+with+Interleaved+Event+Inputs+for+Intrusion+Detection&rft.jtitle=Journal+of+Information+Science+and+Engineering&rft.au=HSING-KUO+PAO&rft.au=FONG-RUEI+LEE&rft.au=YUH-JYE+LEE&rft.date=2019-01-01&rft.pub=%E7%A4%BE%E5%9C%98%E6%B3%95%E4%BA%BA%E4%B8%AD%E8%8F%AF%E6%B0%91%E5%9C%8B%E8%A8%88%E7%AE%97%E8%AA%9E%E8%A8%80%E5%AD%B8%E5%AD%B8%E6%9C%83&rft.issn=1016-2364&rft.volume=35&rft.issue=1&rft.spage=223&rft.epage=242&rft_id=info:doi/10.6688%2FJISE.201901_35%281%29.0012&rft.externalDocID=10162364_201901_201901040003_201901040003_223_242 |
| thumbnail_m | http://utb.summon.serialssolutions.com/2.0.0/image/custom?url=https%3A%2F%2Fwww.airitilibrary.com%2Fjnltitledo%2F10162364-c.jpg |