Research, Information Theory-based Intrusion Detection Technology

Generally, the traditional Intrusion Detection Techniques can be categorized into anomaly detection or misuse detection. Based on the mechanism of computer immune system, this paper presents a new anomaly detection technique to detect intrusion into computer system. In this technique, a Markov chain model is used to represent a temporal profile of normal behavior of a process. The Markov chain model of normal profile can be created by learning the historic data of the sequence of system calls produced by privileged processes running on UNIX system. In the monitoring, the observed behaviour of process is analyzed to infer the probability that Markov chain model of normal profile supports the observed behaviour. A low probability of support indicates a anomalous process behavior that may result from intrusive activities. This technique is implemented and tested on a set of audit data got from University of New Mexico, and testing results proved that the technique can clearly distiguished intrusive activities from normal activitis. Further, some knowledge of information theory are introduced to describe the regularity of process system calls such as the sequential dependency relationship between neighboring system calls. The use of information theory provides theoretic proof for creating more effective detecting models. In the end, Applying for the maximum entropy method in information theory, A maximum entropy model of intrusion detection is presented. As the expriment result shows, We can use the range of misclassification rate (which the maximum entropy model supports) as the indicator of whether a process is attacked.