Self-similarity based lightweight intrusion detection method

Hyukmin Kwon, Eunjin Kim, Song Jin Yu, Huy Kang Kim

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.

Original languageEnglish
Pages (from-to)3683-3690
Number of pages8
JournalInformation
Volume14
Issue number11
Publication statusPublished - 2011 Nov 1

Fingerprint

Intrusion detection
Monitoring

Keywords

  • Anomaly detection
  • Information security
  • Intrusion detection
  • Lightweight
  • Self-similarity

ASJC Scopus subject areas

  • General

Cite this

Kwon, H., Kim, E., Yu, S. J., & Kim, H. K. (2011). Self-similarity based lightweight intrusion detection method. Information, 14(11), 3683-3690.

Self-similarity based lightweight intrusion detection method. / Kwon, Hyukmin; Kim, Eunjin; Yu, Song Jin; Kim, Huy Kang.

In: Information, Vol. 14, No. 11, 01.11.2011, p. 3683-3690.

Research output: Contribution to journalArticle

Kwon, H, Kim, E, Yu, SJ & Kim, HK 2011, 'Self-similarity based lightweight intrusion detection method', Information, vol. 14, no. 11, pp. 3683-3690.
Kwon H, Kim E, Yu SJ, Kim HK. Self-similarity based lightweight intrusion detection method. Information. 2011 Nov 1;14(11):3683-3690.
Kwon, Hyukmin ; Kim, Eunjin ; Yu, Song Jin ; Kim, Huy Kang. / Self-similarity based lightweight intrusion detection method. In: Information. 2011 ; Vol. 14, No. 11. pp. 3683-3690.
@article{75b1c69e11fa4918a23e4af45cf5a634,
title = "Self-similarity based lightweight intrusion detection method",
abstract = "There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.",
keywords = "Anomaly detection, Information security, Intrusion detection, Lightweight, Self-similarity",
author = "Hyukmin Kwon and Eunjin Kim and Yu, {Song Jin} and Kim, {Huy Kang}",
year = "2011",
month = "11",
day = "1",
language = "English",
volume = "14",
pages = "3683--3690",
journal = "Information (Japan)",
issn = "1343-4500",
publisher = "International Information Institute",
number = "11",

}

TY - JOUR

T1 - Self-similarity based lightweight intrusion detection method

AU - Kwon, Hyukmin

AU - Kim, Eunjin

AU - Yu, Song Jin

AU - Kim, Huy Kang

PY - 2011/11/1

Y1 - 2011/11/1

N2 - There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.

AB - There are many security concerns such as data leakage, unauthorized access from outside the system and abnormal activities from inside the system. To detect these system's abnormal activities or misuse by malicious attackers, intrusion detection system (IDS) is usually adopted. Even though detection algorithms and their performance are improved, IDS still consume system resources not ignorable. For providing high performance computing environment, lightweight anomaly detection method is needed today. In this paper, we propose self-similarity measures for lightweight IDS. For normal systems, a regular and periodic self-similarity can be observed in a system's internal activities such as system calls and process status. On the other hand, outliers occur when an anomalous attack happens, and then the system's self-similarity cannot be maintained. Therefore monitoring the changes of a system's self-similarity can be used to detect the system's anomalies. From this viewpoint, we developed a new measure based on cosine similarity and found the optimal time interval for estimating the self-similarity of a given system. As a result, we can detect abnormal activities using only a few resources.

KW - Anomaly detection

KW - Information security

KW - Intrusion detection

KW - Lightweight

KW - Self-similarity

UR - http://www.scopus.com/inward/record.url?scp=84860113121&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84860113121&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:84860113121

VL - 14

SP - 3683

EP - 3690

JO - Information (Japan)

JF - Information (Japan)

SN - 1343-4500

IS - 11

ER -