A Compound Intrusion Detection Model

Transcription

1 A Compound Intrusion Detection Model Jianhua Sun, Hai Jin, Hao Chen, Qian Zhang and Zongfen Han Internet and Cluster Computing Center Huazhong University of Science and Technology, Wuhan, , China {jhsun, Abstract. Intrusion detection systems (IDSs) have become a critical part of security systems. The goal of an intrusion detection system is to identify intrusion effectively and accurately. However, the performance of misuse intrusion detection system (MIDS) or anomaly intrusion detection system (AIDS) is not satisfying. In this paper, we study the issue of building a compound intrusion detection model, which has the merits of MIDS and AIDS. To build this compound model, we propose an improved Bayesian decision theorem. The improved Bayesian decision theorem brings some profits to this model: to eliminate the flaws of a narrow definition for intrusion patterns, to extend the known intrusions patterns to novel intrusions patterns, to reduce risks that detecting intrusion brings to system and to offer a method to build a compound intrusion detection model that integrates MIDS with AIDS. 1 Introduction Security of network systems is becoming increasingly important, and intrusion detection system (IDS) is a critical technology to help protect systems. There are two well-known kinds of intrusion detection systems: misuse intrusion detection system (MIDS) and anomaly intrusion detection system (AIDS). MIDS is efficient and accurate in detecting known intrusions, but cannot detect novel intrusions without unknown signature patterns. AIDS can detect both novel and known attacks, but false alarm rate is high. Hence, MIDS and AIDS are often used together to complement each other. Compound intrusion detection system (CIDS) comprises models of both the normal behavior of the system and the intrusive behavior of the intruder. This kind of model gives us an improved indication of the quality of the alarm, and thus in some sense the most advanced detectors [1]. Early research [7] and [21] suggested that the two main systems ought to be combined to provide a complete intrusion detection system capable of detecting a wide array of different computer security violations [2]. In this paper, we study a compound intrusion detection model. Unlike single MIDS or AIDS, we use CIDS to achieve higher detection rate and lower false alarm rate. Using one simple similarity measure, MIDS and AIDS can work well independently. By applying an improved Bayesian decision theorem to our This paper is supported by Key Nature Science Foundation of Hubei Province under grant 2001ABA001

2 model, the combination of MIDS and AIDS is achieved. Furthermore, by applying this improved theorem, the model is sensitive to various kinds of false alarms and minimizes the risks incurred by these false decisions. The main contributions of this paper are as follows. We propose a novel compound intrusion detection model that integrates MIDS with AIDS. We improve the Bayesian decision theorem that suits real security environment to minimize the risks incurred by false decisions. The rest of this paper is organized as follows. In section 2, we discuss some research background. Section 3 explains the reasons to improve Bayesian decision theorem, and show how to build this compound intrusion detection model. In section 4, we evaluate our intrusion detection model using sequences databases. Section 5 ends with a conclusion and some discussion. 2 Research Background Warrender et al. gives us a comparison of anomaly detection techniques and draws a conclusion that the short sequences of system calls are more important than the particular method of analysis [25]. Stephanie Forrest presents an approach for modeling normal sequences using look ahead pairs [5] and contiguous sequences [14]. Lane examines unlabeled data for anomaly detection by comparing the sequences of users actions during an intrusion to the users normal profile [16][17][18]. In Linux operating system, a program consists of a number of system calls, and different processes have different system calls sequences. Because the diversities of processes coding, there are difference in the order and the frequency of invocation of system calls [22]. So the speciality in the order and the frequency of system calls provides clear separation between different kinds of processes. Experiments in [5] show that short sequences of system calls of processes generate a stable signature for normal behaviors and the short range ordering of system calls appears to be remarkably consistent. This suggests a simple model of normal behaviors. 3 Intrusion Detection Based on Improved Bayesian Decision Theorem The goal of an IDS is to detect and respond to an intrusion when it happens, and is able to keep security from being disturbed by the false alarms. False negative means that when an intrusion really happens, but IDS does not catch it. A false positive is a situation where an abnormity defined by the IDS happens, but it does not turn out to be a real intrusion. Hence low false negatives and low false positives are the goal of an IDS. General IDSs often ignore the risks of false negatives and false positives. To minimize the risks, we build an intrusion detection model based on an improved Bayesian decision theorem.

3 3.1 Related Work Decision-making is needed in many domains, which has relationship with misclassification cost and class membership probability. In order to make an optimal decision, misclassification cost and class membership probability should be estimated first. In recent years, there is a substantial amount of research on cost-sensitive issue. Gaffney et al. [6] provide an expected cost metric and demonstrate that, contrary to common device, the value of an intrusion detection system and the optimal operation of that system depend not only on the system s ROC (Receiver Operating Characteristic) curve, but also on cost metrics and the probability of hostility of operating. MetaCost offers a general method for cost-sensitive learning [4], which is based on the assumption that costs are known in advance and are the same for all examples. Certainly previous research has been based on the assumption that misclassification costs are the same for all examples and known in advance, but in general these costs are example-dependent and different. For example, different mistakes in diagnosis can cause distinct risks. In medical treatment, false positives and false negatives also occur in physical examination. A positive test for AIDS or cancer, when the person is disease free, is a false positive. The person suffers psychally from the outcome that he has a disease when he actually does not. A false negative is when there actually is a disease but the results come back as negative. A finding of no cancer, when there actually is cancer, is a false negative. The patient will be devastated because he does not get the timely treatment that he needs. Obviously, the results produced by these two wrong diagnostic decisions lead to apparently different harm. These false results cannot be completely eliminated, but they can be reduced. Meanwhile, class membership probabilities need to be estimated. Class membership probabilities are example-specific and not known in advance [26]. Direct cost-sensitive decision-making is made on the assumption that any learned classifier can provide conditional probability estimates for training examples and can also provide conditional probability estimates for test examples [26]. Axelsson offers a set of data, that in diagnosis even though the test is 90% certain, the chance of actual having the disease is only 1/100, because the population of health people is much larger than the population with the disease [2]. It is the same with security field that the number of normal actions is much larger than that of intrusion actions, and the chances of a real intrusion are small, even if an intrusion decision is made. Hence, it is important to make an optimal decision to minimize the risks incurred by wrong decisions. Bayesian decision theorem is an alternative method. Traditional Bayesian decision method is applied to many fields of real life, for example, market decision to reduce management risk and to make a larger profit. This method considers the action that produces the highest expected utility or lowest expected risk to be the most appropriate [24]. However, in order to calculate the expected utilities or risk, the probability of class membership must be calculated first. This method takes into account not only the risk incurred by the actions, but also the probability of class membership which is not suit for the requirements

4 of intrusion detection. There are some intrusions that occur rarely but cause large damage. So we remove the function of probability and get the improved Bayesian decision theorem to satisfy the requirement of security problem. We choose Internet Information Service (IIS) [11] as the attack target service, and believe that experiment on other services can have the similar result. We first construct two databases (details about construction can be found in section 4.1). One is called NSCS database that contains normal system calls sequences, and the other is called ISCS database that contains intrusion system calls sequences. Several kinds of intrusion were estimated to attack the IIS, and during the intrusive process system calls sequences were recorded by Strace for NT [8]. Tables 1-4 list the experiment results. We take Table 1 as example to illustrate these tables. In Table 1, the 11 fields form a system call sequence of length 11 in ISCS database, and the sequence is NtWaitForMultipleObjects NtWaitForSingleOb ject NtWaitForMultipleObjects NtWaitForSingleObject NtWaitForSingleO bject NtWaitForSingleObject NtWaitForSingleObject NtWaitForMultipleO bjects NtWaitForSingleObject NtWaitForSingleObject NtWaitForSingleOb ject. The number in the first line in Table 1 is the total number of this sequence occurs in the experiment. In these four tables, the numbers range from to 12. Maybe some intrusions occur incidentally, but if signatures of these intrusions are matched, intrusion decision should be made. So to determine whether an intrusion occurs or not, we should remove the function of its probability. In order to meet with the special requirement of security, we improve Bayesian decision theorem, apply it to our model to consider the different losses caused by various kinds mistakes, and offer an outcome that minimizes losses and risks. 3.2 Improved Bayesian Decision Theorem Decision is more commonly called action in decision-making domain. Particular actions is denoted by a, while a set of all possible actions under consideration is denoted by Φ. Φ is defined as: Φ = {a 1, a 2,..., a c } (1) Each element in Φ incurs some loss, which is often the function of decision and state of nature. The decision table is used to denote the relationship. Table 5 is the general form of a decision table. In Table 5, w i is the ith state of nature, α j is the jth action, and λ (α j, w i ) is a risk function related to α j and w i. The quantity w, which affects the decision process, is commonly called the state of nature. In making decision it is important to consider what the possible state of nature is. The symbol Ω is used to denote the set of all possible states of nature. Then Ω = {w 1, w 2,..., w c }. (2)

5 Table 1 Seqence Sample One Number field 1 NtWaitForMultipleObjects field 2 NtWaitForSingleObject field 3 NtWaitForMultipleObjects field 4 NtWaitForSingleObject field 5 NtWaitForSingleObject field 6 NtWaitForSingleObject field 7 NtWaitForSingleObject field 8 NtWaitForMultipleObjects field 9 NtWaitForSingleObject field 10 NtWaitForSingleObject field 11 NtWaitForSingleObject Table 3 Seqence Sample Three Number 139 field 1 NtQueryInformationToken field 2 NtSetInformationThread field 3 NtOpenKey field 4 NtOpenKey field 5 NtWaitForSingleObject field 6 NtReleaseSemaphore field 7 NtPulseEvent field 8 NtQueryInformationToken field 9 NtSetInformationThread field 10 NtFsControlFile field 11 NtCreateFile Table 2 Seqence Sample Two Number field 1 NtQueryDefaultLocale field 2 NtAllocateVirtualMemory field 3 NtQueryVirtualMemory field 4 NtAllocateVirtualMemory field 5 NtQueryVirtualMemory field 6 NtFreeVirtualMemory field 7 NtDeviceIoControlFile field 8 NtRemoveIoCompletion field 9 NtDeviceIoControlFile field 10 NtDeviceIoControlFile field 11 NtDeviceIoControlFile Table 4 Seqence Sample Four Number 12 field 1 NtQueryAttributesFile field 2 NtCreateFile field 3 NtQueryVolumeInformationFile field 4 NtQueryInformationFile field 5 NtSetInformationThread field 6 NtQueryInformationToken field 7 NtSetInformationThread field 8 NtCreateFile field 9 NtSetInformationThread field 10 NtQueryInformationToken field 11 NtSetInformationThread Table 5 General Form of a Decision Table w 1 w 2... w j... w c α 1 λ (α 1, w 1 ) λ (α 1, w 2 )... λ (α 1, w j )... λ (α 1, w c ) α 2 λ (α 2, w 1 ) λ (α 2, w 2 )... λ (α 2, w j )... λ (α 2, w c ) α i λ (α i, w 1 ) λ (α i, w 2 )... λ (α i, w j )... λ (α i, w c ) α c λ (α c, w 1 ) λ (α c, w 2 )... λ (α c, w j )... λ (α c, w c ) In this model, c equals 2, w 1 denotes normal, and w 2 denotes intrusion. Accordingly a 1 means that the sequence is normal and can be passed over, and a 2 means that a signal of intrusion is emitted and that an action responds to the signal. A random variable is denoted by X, and a particular realization of X is denoted by x. x = x 1, x 2,..., x n (x i system calls) and x 1, x 2,..., x n means a sequence of system calls like x 1 x 2... x n, such as fstat64 mmap2 read... close munmap rt sigprocmask. Each x is classified into a normal sequences set or an intrusion sequences set.

6 In decision theory, a key element is the risk function. If a particular action a i is taken and w j (i, j = 1, 2,..., c) turns out to be the true state of nature, then a risk λ (α i, w j ) is incurred. λ (α 1, w 2 ) means the risk because that the sequence is ignored while it turns out to be an intrusion; λ (α 2, w 1 ) means the risk because that a signal of intrusion is emitted while the sequence turns out to be normal. λ (α 1, w 2 ) is normally larger greatly than λ (α 2, w 1 ). The traditional expected conditional risk R (α i x) can be obtained from the following formula: R (α i x) = E [λ (α i, w j )] = c j=1 λ (α i, w j ) P (w j x), i = 1, 2,..., c (3) where P (w j x) is the conditional probability of w j for a given x and can be got through Bayesian theorem: P (w i x) = p(x w i )P (w i ) c j=1 p(x w, i = 1,..., c (4) j)p (w j ) where prior probabilities P (w i ) are assumed known. Instead we replace P (w j x) in (3) by a similarity measure to get the improved Bayesian decision theorem. The similarity measure we used is similar to [16]. It differs in that we make a comparison between system calls sequences while [16] makes a comparison between command sequences. The set of normal system calls sequences is denoted by Ψ 1, and the set of intrusion system calls sequences is denoted by Ψ 2. Once Ψ 1 and Ψ 2 are formed, we compare an incoming sequence to sequences in Ψ 1 and Ψ 2 to calculate the similarity values between the observed sequence and each sequence of the two sets. If the two similarity values have wide gap, we directly classify this sequence to Ψ 1 or Ψ 2. For example, if an observed sequence x owns a similarity value 0.8 with Ψ 1 and 0.2 with Ψ 2, x is then classified into Ψ 1. Otherwise, if the two similarity values have little difference, we use Bayesian decision theorem to make a decision that this sequence is normal or not. The similarity measure simply assigns a score equal to the number of identical tokens found in the same location of the two sequences and assigns a higher score to adjacent identical token than to separated identical tokens. We define the similarity of an observed sequence x to a set of sequence, Ψ i, as: Sim(x, Ψ i ) = max Seq Ψ i {Sim(x, seq)}, i = 1,..., c (5) And sequence y is most similar to x in Ψ i. Sim(x, y) = max Seq Ψ i {Sim(x, seq)}, i = 1,..., c (6) The improved expected conditional risk R (α i x) can be obtained in (7) R (α i x) = E [λ (α i, w j )] = c j=1 λ (α i, w j ) Sim(x, Ψ i ), i = 1, 2,..., c (7)

7 Intrusions belonging to the same intrusion category have identical or similar attack principles and intrusion techniques. Therefore they have identical or similar system calls sequences and are significantly different from normal system calls sequences. Most novel attacks are variants of known attacks and the signature of known attacks can be sufficient to catch novel variants [9]. In experiment, it is easy to obtain full normal traces. However, due to the limited knowledge of known intrusions, we can only obtain the known intrusion traces. In order to detect novel intrusions, we use this similarity measure to extend the known intrusions traces to novel intrusions traces. Among these R (α 1 x), R (α 2 x),..., R (α c x), the optimal decision is a k, which is got from the following: R (α k x) = min R (α i x) (8) i=1,...,c In our model we just make a comparison between R (α 1 x) and R (α 2 x), and choose the action that bring less risk to the system. That is the improved Bayesian view of optimal decision making. We build two profile databases respectively. One is called NSCS database and the other ISCS database. Misuse intrusion detection can be achieved on the base of ISCS database, and felling back on NSCS database anomaly intrusion detection can be realized. These two kinds of detection sub-models can work independently. Through the improved Bayesian decision theorem, misuse intrusion detection and anomaly intrusion detection are combined. This improved Bayesian decision theorem brings four profits to this model. It eliminates the flaws of a narrow definition for normal patterns and intrusion patterns; extends the known intrusions patterns to novel intrusions patterns; reduces risks that detecting intrusion brings to system; and offers a method to build a compound intrusion detection model that integrates MIDS with AIDS. 4 Experiment We have this experiment on the privileged process Sendmail. Sendmail provides various services that owns relatively more leaks and tends to be controlled easily. Sendmail, which is running with root privilege, has access to more parts of the system. Therefore hackers aim at Sendmail to gain the root privilege. Obviously privileged processes need paying more attentions, and we conduct this experiment on Sendmail. Sendmail is running on a cluster with the Linux operation system in Internet and Cluster Computing Center (ICCC) at Huazhong University of Science and Technology (HUST), and Strace 4.0 for Linux [10] is used to trace processes. 4.1 Sequences Databases Construction NSCS database and ISCS database are constructed in this experiment. The implementation of NSCS database follows the method described in [5].

8 The procedure of constructing these two databases can be found in our previous work [15]. We trace Sendmail running for two months and obtain traces of a total of 5.5 million system calls sequences through selecting typical data. Table 6 lists total numbers of unique system calls sequences given different sequences length. From the table we see that the longer sequences length, the more unique system calls sequences. Table 7, 8 and 9 list some sequence samples, and the total numbers of each sequence with different sequences length. It is obvious that the longer sequences length, the smaller the total number of each sequence. Table 6 Total Numbers of Unique System Calls Sequences given Different Sequences Length total number of unique system calls sequences sequences length Table 7 Total Numbers of Sequences Samples with Length 6 sequences samples total number of each fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl flock fstat64 flock flock fstat64 flock time getpid getpid stat64 lstat64 geteuid Table 8 Total Numbers of Sequences Samples with Length 9 sequences samples total number of each fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl flock fstat64 flock flock fstat64 flock flock fstat64 flock time getpid getpid stat64 lstat64 geteuid32 lstat64 geteuid32 open Table 9 Total Numbers of Sequences Samples with Length 12 sequences samples total number of each fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl64 fcntl flock fstat64 flock flock fstat64 flock flock fstat64 flock flock fstat64 flock time getpid getpid stat64 lstat64 geteuid32 lstat64 geteuid32 open fstat64 flock open Whereafter, we construct the ISCS database. We generate traces of three types of intrusions behaviors, which attack Sendmail effectively. The three types of intrusions include U2R (User to Root), buffer overflow and forwarding loop. The sunsendmailcp script delegating U2R uses a special command line option to cause Sendmail to append an message to a file. By using this script, a

9 local user might obtain root access. The syslog attack delegating buffer overflow uses the syslog interface to overflow a buffer in Sendmail and leaves one port for later intrusion. Forwarding loop writes special addresses and forward files to form a logical circle and to send letters from machine to machine [5]. During intrusion, intrusion system calls sequences are attained. Strace runs on Sendmail for two months to trace intrusion traces. The total intrusion system calls turns out to be 300K and the number of unique intrusion system calls sequences is about 342 with the length 6, about 420 with the length 9, and about 513 with the length Detect Known and Novel Intrusions To determine whether a system calls sequence x is normal or not, we compare x with the sequences in ISCS database and NSCS database. If Sim(x, ISCS) is not less than λ I, x is an intrusion system calls sequence; in the same way, if Sim(x, NSCS) is not less than λ N, x is a normal system calls sequence. λ N is a threshold value, above which a behavior is regarded as normal, and λ I is also a threshold value, above which it is deemed intrusion. Using similarity measure, misuse intrusion detection based on ISCS database and anomaly intrusion detection based on NSCS database can work well independently. Otherwise, we use the improved Bayesian decision theorem to make a decision. Table 10 compares the detection rates for old intrusions and new intrusions with sequences of length 12 and with different cost ratio C. Here new intrusions refer to those that do not have corresponding instances in the training data. From the table we see that detection rates of old intrusions have nothing to do with C. Because the system calls sequences of these old intrusions have been stored in ISCS database, it is easy to detect old intrusions. Whereas detection rates of news intrusions are relevant to C, and a high detection rates can be got for C between 20 and 30. Table 10 Detection Rates with Different Cost Ratio C C Category old new old new old new old new U2R Buffer Overflow Forwarding Loop Experiment on IIS Additional experiment is carried on Internet Information Service (IIS) [11]. IIS is running on a cluster with the Windows operation system and Strace for NT [8] is used to trace processes. We trace IIS running for four months free intrusions, and finally there are about unique system calls sequences in NSCS database given the sequences length 11. In order to collect raw data, Strace for NT [8] is used to record system calls sequences of IIS process, and WinDump [12] and WinPcap [13] are used to collect

10 network packets. During collecting data, several kinds of intrusion are estimated to attack the IIS: Ihttp delegating U2R attack, Iiscrash, a kind of buffer overflow attack; and others kinds of intrusions, such as DDOS and Fluxay47. Three packages, numbered 1, 2 and 3, are collected for two weeks. Each package includes traces of IIS. These three packages are used as raw data, and experiment results are shown in Table 11. The figures in Table 11 show that time consumed for detection is acceptable. Table 11 Time Consumed for Detection Size of Package Time consumed Package 1 123M 5ms Package 2 123M 6ms Package 3 203M 8ms At the first two weeks we train this model, the size of NSCS database is 5.19k, and the false alarm rata is high; three months later, the size increases to 132k, and the false alarm rata is always below 10%. It shows that the richness of NSCS database (ISCS database) has effect on the performance of this model. 5 Conclusions and Discussion In this paper, we propose a compound intrusion detection model based on improved Bayesian decision theorem to reduce false alarm rate and minimize the risks of false negatives and false positives. To achieve the goal of detection, NSCS database and ISCS database should be established first. Using similarity measure, misuse intrusion detection based on ISCS database and anomaly intrusion detection based on NSCS database can work well independently. By applying improved Bayesian decision theorem to our model, the combination of misuse intrusion detection and anomaly intrusion detection is achieved. Through the improved Bayesian decision theorem, we define the risk model to formulate the expected risk of an intrusion detection decision, and present risk sensitive machine learning techniques that can produce detection model to minimize the risks of false negatives and false positives Empirical experiments show that our model and deployment techniques are effective in reducing the overall intrusion detection risk. The results show that detection rates of new intrusions are relevant to cost ratio C, and a high detection rates can be obtained for a given C between 20 and 30. Whether NSCS database or ISCS database is rich enough influences performance of this model. As long as these databases are kept rich enough, intrusion can be checked effectively. In order to collect normal system calls sequences as many as possible, we need to trace Sendmail service long enough, keep the service out of attacks or intrusions, and require as many kinds of services of Sendmail as possible. Contrary to NSCS database, ISCS database is easier to build. Sequences that are considerably different from those in NSCS database will be

11 inserted into ISCS database. In order to deal with novel intrusions effectively, ISCS database should be maintained frequently. Although some problems exist in our model, it provides us an alternative approach to intrusion detection. We will attempt to apply other theories and techniques to intrusion detection field. References 1. S. Axelsson, Intrusion Detection Systems: A Taxonomy and Survey, Technical Report No 99-15, Dept. of Computer Engineering, Chalmers University of Technology, Sweden, March S. Axelsson, The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, Proc. of the 6th ACM Conference on Computer and Communications Security, Kent Ridge Digital Labs, Singapore, November 1-4, 1999, pp G. Casella and R. Berger, Statistical Inference, Wadsworth & Brooks/Cole, Belmont, California, 1990, pp P. Domingos, Metacost: A General Method for Making Classifiers Cost-sensitive, Proc. of 5th Int. Conf. on Knowledge Discovery and Data Mining KDD, 1999, pp S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longsta., A Sense of Self for Unix Processes, Proc. IEEE Symposium on Security and Privacy, Los Alamitos, CA, 1996, pp J. E. Gaffney and J. W. Ulvila, Evaluation of Intrusion Detectors: A Decision Theory Approach, Proc. of IEEE Symposium on Security and Privacy, 2001, pp L. Halme and B. Kahn, Building a Security Monitor with Adaptive User Work Profiles, Proc. of the 11th National Computer Security Conference, Washington DC, Oct, 1988, pp readme.html wichert/strace S. A. Hofmeyr, S. Forrest, and A. Somayaji, Intrusion Detection using Sequences of System Calls, Journal of Computer Security, 6, 1998, pp H. Jin, J. Sun, H. Chen, and Z. Han, A Risk-sensitive Intrusion Detection Model, Proc. of International Conference on Information Security and Cryptography (ICISC 02 ), LNCS 2587, Spinger-Verlag, 2003, pp T. Lane and C. E. Brodley, Sequence Matching and Learning in Anomaly Detection for Computer Security, Proc. of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management, Menlo Park, CA: AAAI Press. 1997, pp T. Lane and C. E. Brodley, Temporal Sequence Learning and Data Reduction for Anomaly Detection, Proc. of the Fifth ACM Conference on Computer and Communications Security, 1998, pp T. Lane and C. E. Brodley, Temporal Sequence Learning and Data Reduction for Anomaly Detection, ACM Trans. on Information and System Security, 2, 1999, pp

12 19. J. Lin, X. Wang, and S. Jajodia, Abstraction-based Misuse Detection: High-level Specifications and Adaptable Strategies, Proc. of IEEE Computer Security Foundations Workshop, Rockport, MA, June 1998, pp R. P. Lippman, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McCllung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation, Proc. of DARPA Information Survivability Conference and Exposition, Jan 25-27, 2000, vol.2, pp T. F. Lunt, Automated Audit Trail Analysis and Intrusion Detection: A survey, Proc. of the 11th National Computer Security Conference, Baltimore, Maryland, 1988, NIST, pp Y. Okazaki, I. Sato, and S. Goto, A New Intrusion Detection Method based on Process Profiling, Proc. of the 2002 Symposium on Applications and the Internet (SAINT 02 ), pp J. Sun, H. Jin, H. Chen, and Z. Han, A Data Mining Based Intrusion Detection Model, Proc of Fourth International Conference on Intelligent Data Engineering and Automated Learning (IDEAL 03), T. Terano, K. Asai, and M. Sugeno, Fuzzy Systems Theory and Its Applications, Boston Academic Press, 1992, pp C. Warrender, S. Forrest, and B. Pearlmutter, Detecting Intrusions using System Calls: Alternative Data Models, Proc. of IEEE Symposium on Security and Privacy, 1999, pp B. Zadrozny and C. Elkan, Learning and Making Decisions When Costs and Probabilities are Both Unknown, Proc. of the Seventh International Conference on Knowledge Discovery and Data Mining (KDD 01 ), pp