Abstract
There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.
| Original language | English |
|---|---|
| Pages (from-to) | 3683-3690 |
| Number of pages | 8 |
| Journal | Information |
| Volume | 14 |
| Issue number | 11 |
| Publication status | Published - 2011 Nov 1 |
Fingerprint
Keywords
- Anomaly detection
- Information security
- Intrusion detection
- Lightweight
- Self-similarity
ASJC Scopus subject areas
- General
Cite this
Self-similarity based lightweight intrusion detection method. / Kwon, Hyukmin; Kim, Eunjin; Yu, Song Jin; Kim, Huy Kang.
In: Information, Vol. 14, No. 11, 01.11.2011, p. 3683-3690.Research output: Contribution to journal › Article
}
TY - JOUR
T1 - Self-similarity based lightweight intrusion detection method
AU - Kwon, Hyukmin
AU - Kim, Eunjin
AU - Yu, Song Jin
AU - Kim, Huy Kang
PY - 2011/11/1
Y1 - 2011/11/1
N2 - There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.
AB - There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.
KW - Anomaly detection
KW - Information security
KW - Intrusion detection
KW - Lightweight
KW - Self-similarity
UR - http://www.scopus.com/inward/record.url?scp=84860113121&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84860113121&partnerID=8YFLogxK
M3 - Article
AN - SCOPUS:84860113121
VL - 14
SP - 3683
EP - 3690
JO - Information (Japan)
JF - Information (Japan)
SN - 1343-4500
IS - 11
ER -