An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems

An intrusion into an information system compromises its security (e.g. avai lability, integrity and confidentiality) through a series of events in the information system. Intrusive events often show departures (anomalies) from normal events in an information system. This paper presents an anomaly det ection technique based on a chi-square statistic. This technique builds a p rofile of normal events in an information system-a norm profile computes th e departure of events in the recent past from the norm profile and detects a large departure as an anomaly-a likely intrusion. This technique was test ed for its performance in distinguishing normal events from intrusive event s in an information system. The test results demonstrated the promising per formance of this technique for intrusion detection in terms of a low false alarm rate and a high detection rate. Intrusive events were detected at a v ery early stage. Copyright (C) 2001 John Wiley & Sons, Ltd.