Multivariate data analysis software for enhancing system security

Abstract

This article describes an intrusion detection technique that aims to enhance the security of computing systems. The idea of intrusion detection is based on the hypothesis that computer users are typically involved in specific types of activity, and the set of programs they use will normally reflect that activity. Hence, security violations could be detected from abnormal patterns of system usage. Intrusion detection almost invariably involves two components: system monitoring and data analysis. In general, system monitoring records everything that each user performs in the system. Monitoring information is analyzed by use of some data analysis technique to abstract user behavior patterns from the audit log. Although the concept of system monitoring is widely supported in today's computer systems (at least for accounting purposes), the provision of tools for analyzing monitoring information is not sufficient. We present a multivariate data analysis technique that is a nice mathematical tool for the analysis of user behavior patterns in intrusion detection. Our system records all user activities in each login session; abnormal sessions are identified when the monitoring data are analyzed. Data analysis involves two steps: analysis of correlations and classification of behavior patterns. Analysis of correlations, which is based on standardized principal components analysis, partitions the set of user sessions into groups such that sessions within the same group are closely correlated and hence governed by the same behavior pattern. Classification of behavior patterns is automated by a cluster recognition technique. To visualize analysis results, the multivariate data set is summarized by factor analysis. © 1995.