Skip to main content
Log in

A Fuzzy Approach to User-level Intrusion Detection

  • Published:
International Journal of Fuzzy Systems Aims and scope Submit manuscript

Abstract

Traditionally, researchers have focused on network level intrusion detection and program level intrusion detection to improve computer security. However, neither approach is foolproof. Typically, a successful attacker manifests in the form of the attacker becoming a user on the host either with elevated or normal user privileges. The reason for this situation is that current research and technology development have focused on external, not internal. At this point, user-level intrusion detection attempts to deter and curtail an attacker even after the system has been compromised. This paper proposed a novel method for anomaly detection of user behavior. Considering the complexity and fluctuation of user behavior, our method builds a finite automaton to profile the user’s normal behavior with closeness of commands within patterns and timing sequence and frequency information between patterns. This allows discrete data used for training to have a holistic structure that allows for a more accurate expression of the normal behavior of the user. In the detection stage, our method builds a threat evaluation system using fuzzy logic. Experimental results on data sets of Purdue University, SEA and self-collected data show that an accurate, effective and efficient detection can be achieved using the proposed approach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Terran, D.: Lane: Machine learning techniques for the computer security domain of anomaly detection. Purdue University, West Lafayette (2001)

    Google Scholar 

  2. Schonlau, M.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)

    MathSciNet  MATH  Google Scholar 

  3. Ye, N., Zhang, Y., Borror, C.M.: Robustness of the Markov-chain model for cyber-attack detection. IEEE. T. Reliab. 53(1), 116–123 (2004)

    Article  Google Scholar 

  4. Huang, L., Stamp, M.: Masquerade detection using profile hidden Markov models. Comput. Secur. 30(8), 732–747 (2011)

    Article  Google Scholar 

  5. Bzhalava, Z., Hultin, E., Dillner, J.: Extension of the viral ecology in humans using viral profile hidden Markov models. PLoS ONE 13(1), 1–12 (2018)

    Article  Google Scholar 

  6. Vemparala, S., Di Troia, F., Corrado, V.A., et al.: Malware detection using dynamic birthmarks. IWSPA. 6, 41–46 (2016)

    Google Scholar 

  7. Yu, W., Wei-Ping, W., Dan, M.: Mining user cross-domain behavior patterns for insider threat detection. Chin. J. Comput. 39(8), 1555–1569 (2016)

    Google Scholar 

  8. Hodge, V.J., Austin, J.: A survey of outlier detection methodologies. Artif. Intellig. Rev. 22(2), 85–126 (2013)

    Article  Google Scholar 

  9. Gupta, M., Gao, J., Aggarwal, C., et al.: Outlier detection for temporal data: a survey. IEEE Knowl. Data En 26(9), 2250–2267 (2014)

    Article  Google Scholar 

  10. Garg, A., Upadhyaya, S., Kwiat, K.: A user behavior monitoring and profiling scheme for masquerade detection. Handbook Stat. 31, 353–379 (2013)

    Article  MathSciNet  Google Scholar 

  11. Stolfo S J, Ben Salem M, Hershkop S. Methods, systems, and media for masquerade attack detection by monitoring computer user behavior: US, US9311476, 2016.

  12. Emmott, A.F., Das, S., Dietterich, T., et al.: Systematic construction of anomaly detection benchmarks from real data. SIGKDD. 23, 16–21 (2015)

    Google Scholar 

  13. Tajer, A., Veeravalli, V.V., Poor, H.V.: Outlying sequence detection in large data sets: a data-driven approach. IEEE Signal Proc. Mag. 31(5), 44–56 (2014)

    Article  Google Scholar 

  14. Berezinski, P., Jasiul, B., Szpyrka, M.: An entropy-based network anomaly detection method. Entropy. 17(4), 2367–2408 (2015)

    Article  Google Scholar 

  15. Kanda, Y., Fontugne, R., Fukuda, K., et al.: ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches. Comput. Commun. 36(5), 575–588 (2013)

    Article  Google Scholar 

  16. Yin, M., Yao, D., Luo, J., et al.: Network backbone anomaly detection using double random forests based on non-extensive entropy feature extraction. ICNC. 28, 80–84 (2014)

    Google Scholar 

  17. Liu, D., Lung, C.H., Seddigh, N., et al.: Entropy-based robust PCA for communication network anomaly detection. ICCC. 15, 171–175 (2014)

    Google Scholar 

  18. Wang, W., Guyet, T., Quiniou, R., et al.: Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl-based. Syst. 70, 103–117 (2014)

    Article  Google Scholar 

  19. Wang, Z., Yang, J., Li, F.: An on-line anomaly detection method based on a new stationary metric-entropy-ratio. TrustCom. 16, 175–192 (2014)

    Google Scholar 

  20. Przemysław B, Szpyrka M, Jasiul B, et al.: Network anomaly detection using parameterized entropy. CISIM. (2014)

  21. Giotis, K., Argyropoulos, C., Androulidakis, G., et al.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62(5), 122–136 (2014)

    Article  Google Scholar 

  22. Ding, M., Tian, H.: PCA-based network traffic anomaly detection. Tsinghua Sci. Technol. 21(5), 500–509 (2016)

    Article  Google Scholar 

  23. Tang, Y., Liu, Z., Pan, M., et al.: Detection of magnetic anomaly signal based on information entropy of differential signal. IEEE Geosci. 13, 1–5 (2018)

    Google Scholar 

  24. Thaseen, I.S., Kumar, C.A.: Intrusion detection model using fusion of chi-square feature selection and multi class SVM. JKSU-CIS. 29(4), 1319–1578 (2016)

    Google Scholar 

  25. Thaseen, I.S., Kumar, C.A.: Intrusion detection model using fusion of PCA and optimized SVM. IC3I. 12, 879–884 (2015)

    Google Scholar 

  26. Kim, H.S., Cha, S.D.: Empirical evaluation of SVM-based masquerade detection using UNIX commands. Comput. Secur. 24(2), 160–168 (2005)

    Article  Google Scholar 

  27. Al-Yaseen, W.L., Othman, Z.A., Nazri, M.Z.A.: Hybrid modified K-Means with C4.5 for intrusion detection systems in multiagent systems. Sci. World J. 2015(2), 1–14 (2015)

    Article  Google Scholar 

  28. Sahu S K, Jena S K. A multiclass SVM classification approach for Intrusion detection. IDCS (2016)

  29. Abdullah, A., Ponnan, R., Asirvatham, D.: Improving multiclass classification in intrusion detection using clustered linear separator analytics. ISMS. 32, 37 (2018)

    Google Scholar 

  30. Pan J, Liu S, Sun D, et al. Learning Dual Convolutional Neural Networks for Low-Level Vision. In: The IEEE conference on computer vision and pattern recognition (CVPR), 3070–3079 (2018).

  31. Xiaolong Wang, Ross Girshick, Abhinav Gupta et al. Non-local neural networks. In: The IEEE conference on computer vision and pattern recognition (CVPR), 7794–7803 (2018).

  32. Hirschberg, J., Manning, C.D.: Advances in natural language processing. Science 349(6245), 261–266 (2015)

    Article  MathSciNet  Google Scholar 

  33. Goldberg Y. A Primer on Neural Network Models for Natural Language Processing. Comput. Sci. 2015.

  34. Kim G, Yi H, Lee J, et al. LSTM-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. 2016.

  35. LeCun, Y., Bengio, Y., Hinton, G.: Deep learning[J]. Nature 521(7553), 436–444 (2015)

    Article  Google Scholar 

  36. Chen, L., Sultana, S., Sahita, R.: HeNet: a deep learning approach on intel circled processor trace for effective exploit detection. IEEE. (2018). https://doi.org/10.1109/SPW.2018.00025

    Article  Google Scholar 

  37. Naseer, S., Saleem, Y.: Enhanced network intrusion detection using deep convolutional neural networks[J]. KSII Trans Internet Inf Syst 12(10), 5159–5178 (2018)

    Google Scholar 

  38. Carrettoni F, Castano S, Martella G, et al.: RETISS: a real time security system for threat detection using fuzzy logic. IEEE CCST. 161–167 (1991)

  39. Sherif, J.S., Ayers, R., Dearmond, T.G.: IMCS. 11(4), 175–186 (2013)

    Google Scholar 

  40. Zadeh, L.A.: Fuzzy sets. Inf. Control 8, 338–353 (1965)

    Article  Google Scholar 

  41. Garg, H.: Novel intuitionistic fuzzy decision making method based on an improved operation laws and its application. Eng. Appl. Artif. Intell. 60, 164–174 (2017)

    Article  Google Scholar 

  42. Garg, H., Kumar, K.: Some aggregation operators for linguistic intuitionistic fuzzy set and its application to group decisionmaking process using the set pair analysis. Arab. J. Sci. Eng. 43(6), 3213–3227 (2018)

    Article  Google Scholar 

  43. Firozja, M.A., Balf, F.R., Firouzian, S.: Vague ranking of fuzzy numbers. Math. Sci. 11(3), 189–193 (2017)

    Article  MathSciNet  Google Scholar 

  44. Maxion R A, Townsend T N.: Masquerade detection using truncated command lines. In: IEEE international conference on dependable systems and networks. 219–228 (2002)

  45. Wang, X., Wang, Y.: Masquerader detection based on command closeness model. Acta Electronica Sinica. 42(6), 1225–1229 (2014)

    Google Scholar 

  46. Schonlau, M., DuMouchel, R., et al.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)

    MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

The authors are thankful to all the reference for their comments and suggestions in obtaining the present form of the paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Fuquan Zhang.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, W., Mao, Y., Ci, L. et al. A Fuzzy Approach to User-level Intrusion Detection. Int. J. Fuzzy Syst. 23, 862–877 (2021). https://doi.org/10.1007/s40815-020-00947-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s40815-020-00947-1

Keywords

Navigation