Intrusion detection through learning behavior model

Intrusion detection is the process of identifying user actions that might p otentially lead a system from a secured state to a compromised state. Norma lly, it is observed that the users exhibit regularities in their usage of c ommands of a system, as they tend to achieve the same (or perhaps similar) objective. The command sequences can therefore be used to characterize the user behavior (ACM SIGMETRICS, Performance Evaluation Review, Texas, USA, 1 3(2) (1985) 40). Deviations from the characteristic behavior pattern of a u ser can be used to detect potential intrusions. But, it requires that the u ser behavior is modeled either on an individual or on a group basis, in suc h a way that the model captures the essence of the user behavior. In this w ork reported here, we propose an algorithm for intrusion detection, called Genetic algorithm Based Intrusion Detector (GBID) based on "learning the in dividual user behavior". The user behavior is learnt by using genetic algor ithms. Current user behavior can be predicted by genetic algorithms based o n the past observed user behavior. The user behavior has been described usi ng a S-tuple (Match index, Entropy index, Newness index). Value of the 3-tu ple is calculated for fixed block size of commands in a user session, calle d command sample. The 3-tuple value of a command sample in user session are compared with expected non-intrusive behavior 3-tuple value to find intrus ions. (C) 2001 Elsevier Science B.V. All rights reserved.