Intrusion detection is the process of identifying user actions that might p
otentially lead a system from a secured state to a compromised state. Norma
lly, it is observed that the users exhibit regularities in their usage of c
ommands of a system, as they tend to achieve the same (or perhaps similar)
objective. The command sequences can therefore be used to characterize the
user behavior (ACM SIGMETRICS, Performance Evaluation Review, Texas, USA, 1
3(2) (1985) 40). Deviations from the characteristic behavior pattern of a u
ser can be used to detect potential intrusions. But, it requires that the u
ser behavior is modeled either on an individual or on a group basis, in suc
h a way that the model captures the essence of the user behavior. In this w
ork reported here, we propose an algorithm for intrusion detection, called
Genetic algorithm Based Intrusion Detector (GBID) based on "learning the in
dividual user behavior". The user behavior is learnt by using genetic algor
ithms. Current user behavior can be predicted by genetic algorithms based o
n the past observed user behavior. The user behavior has been described usi
ng a S-tuple (Match index, Entropy index, Newness index). Value of the 3-tu
ple is calculated for fixed block size of commands in a user session, calle
d command sample. The 3-tuple value of a command sample in user session are
compared with expected non-intrusive behavior 3-tuple value to find intrus
ions. (C) 2001 Elsevier Science B.V. All rights reserved.